The SonicWall Capture Labs Threat Research Team have recently come across a new variant of Ako ransomware. The malware spreads via spam email and shares similarities to MedusaLocker. This has lead many to believe that the malware is a variant of MedusaReborn. However, the operators have reportedly denied this claim and state that Ako is their own creation. The malware demands $3000 USD in Bitcoin for file retrieval. The operators run a website hosted behind tOr to facilitate file decryption for its victims.
Infection Cycle:
Upon infection, the malware encrypts files and appends <.random{6}> to their filenames. eg. finance.docx.C564Ec
The following files are dropped into directories where files were encrypted:
- ako-readme.txt
- id.key
ako-readme.txt contains the following text:
id.key contains the public key used to encrypt files.
During the encryption process, the following file types are ignored:
- .exe ,. dll, .sys, .ini, .lnk, .key, .rdp
Folders containing the following strings are also skipped:
- Appdata
- Program files
- Program Files (x86)
- Appdata
- boot
- Perflogs
- Programdata
- Intel
- Microsoft
- Application data
- Tor browser
- Windows
Each encrypted file is given the following infection marker (CECAEFBE):
The following keys are added to the registry:
- HKEY_CURRENT_USERSoftwareakocfg aid “.<random{6}>”
- HKEY_USERSS-1-5-21-3032013890-123666948-3153623785-1001Softwareakocfg aid “.<random{6}>”
The following commands are executed to delete shadow copies of files and to disable any possibility of system recovery and repair:
- vssadmin.exe Delete Shadows / All / Quiet
- bcdedit.exe / set {default} recoveryenabled No
- bcdedit.exe / set {default} bootstatuspolicy ignoreallfailures
- wbadmin DELETE SYSTEMSTATEBACKUP
- wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
- wmic.exe SHADOWCOPY / nointeractive
The ransom note contains the following tOr address:
- http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/U0T9NR3RCU3PNABN
The address leads to the following site hosted on the tOr network:
After entering the unique key from the ransom note, the following page is presented which states that 0.2932 BTC (approx $3000 USD at this time) is required to restore files:
Activity recorded for the supplied BTC address (1Ag76nHNv1mPUf3Qki1EnoHgV4Cbt6dLft) suggests that the operators may have been successful in their endeavours:
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Ako.RSM (Trojan)
This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.
** Optrics Inc. is an Registered SonicWall partner
The original article can be found here:
https://securitynews.sonicwall.com/xmlpost/ako-ransomware-demands-3000-operators-hide-behind-tor/