Ako ransomware, a C++-based RaaS variant of MedusaLocker, emerged in 2020 and employs techniques like targeted machine isolation and evasive maneuvers to encrypt victim systems.
Operating under the RaaS model, Ako enables affiliates to deploy it for a cut of the ransom payments that indicates a potential for widespread exploitation and persistent threat activity from various actors leveraging this readily available ransomware tool.
The Ako ransomware attack graph depicts a multi-stage infection process, as initial access is achieved through exploits leveraging vulnerabilities in Remote Desktop Protocol (RDP) or by exploiting weaknesses in email security gateways.
Once foothold is established, lateral movement occurs through the abuse of legitimate administrative tools like PsExec and WMI.
The ransomware then proceeds to encrypt critical files on compromised systems, including those on network shares, while simultaneously disabling security services and deleting shadow copies to hinder recovery efforts.
The attack begins with the Ingress Tool Transfer technique, downloading and saving malicious code to the system, bypassing potential network and endpoint security controls.
Subsequently, the Process Injection technique is employed to execute the malicious code within the memory space of a legitimate process, evading detection by security measures.
The System Location Discovery technique utilizes Windows API calls such as GetSystemDefaultLCID, GetLocaleInfoA, and GetUserDefaultLocaleName to gather information about the system’s language settings.
According to AttackIQ, the information is collected to help in the subsequent stages of the attack, potentially for targeting specific vulnerabilities or customizing the attack based on the victim’s location.
In the beginning, the attacker prevents the system from recovering by erasing volume shadow copies by utilizing vssadmin.exe and wmic.exe and then they modify registry settings to enable access to mapped network drives.
Following that, network reconnaissance is carried out by means of API calls such as GetAdaptersInfo and IcmpSendEcho.
In the second stage, the attacker discovers and enumerates local drives, directories, and files using GetLogicalDriveStringsW, FindFirstFileW, and FindNextFileW. Finally, the ransomware encrypts targeted files in place using a combination of RSA and AES-256 in CBC mode, impacting data availability.
To effectively combat this threat, prioritize focusing on Ingress Tool Transfer, Process Injection, Inhibit System Recovery, and Data Encrypted for Impact. Detect native utilities like PowerShell downloading malicious payloads using endpoint and network security controls.
Identify compromised processes by monitoring for unusual behavior from legitimate applications. Implement behavior prevention on endpoints and strengthen privileged account management.
Detect the deletion of Volume Shadow Copies through command-line activity analysis. Utilize data backup strategies, configure operating system settings, and enforce proper user account management.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical Writable File in Lenovo’s Windows Directory Lets Attackers Bypass AppLocker")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Cl0p Ransomware Exfiltration Tactics Expose Flaws to Remote Code Execution")
