Ako, also known as MedusaReborn, is a ransomware strain that operates under a Ransomware-as-a-Service model, targeting entire networks since January 2020. It shares similarities with MedusaLocker and employs various techniques for execution and encryption. Security teams are encouraged to validate their defenses against this threat using the AttackIQ Security Optimization Platform. Affected: Ako, MedusaLocker
Keypoints :
- Ako ransomware is a variant of MedusaLocker.
- It operates under a Ransomware-as-a-Service (RaaS) model.
- Active since at least January 2020.
- Targets entire networks rather than individual systems.
- Utilizes various techniques for execution, discovery, and encryption.
- Security teams can evaluate their defenses using AttackIQ’s assessment template.
MITRE Techniques :
- Ingress Tool Transfer (T1105): Downloads malicious samples to memory and disk.
- Process Injection (T1055): Injects shellcode into a running process.
- System Location Discovery (T1614): Executes Windows API calls to discover system locale.
- Inhibit System Recovery (T1490): Deletes Volume Shadow Copies using vssadmin.exe and WMI commands.
- Modify Registry (T1112): Modifies registry to allow access to mapped network drives.
- System Network Configuration Discovery (T1016): Retrieves adapter information from the local computer.
- Remote System Discovery (T1018): Executes IcmpSendEcho to discover local networks.
- Peripheral Device Discovery (T1120): Retrieves information about physical disks.
- File and Directory Discovery (T1083): Enumerates the file system using Windows API calls.
- Data Encrypted for Impact (T1486): Encrypts files using RSA and AES-256 algorithms.
Indicator of Compromise :
- [file name] vssadmin.exe
- [file name] wmic.exe
- [file name] cmd.exe
- [file name] powershell.exe
- [others ioc] AttackIQ Security Optimization Platform
- Check the article for all found IoCs.
Full Research: https://www.attackiq.com/2025/01/09/emulating-ako-ransomware/