Security researchers observed that Ako ransomware is using malicious spam attachments to go after organizations’ networks.
On January 14, AppRiver Senior Cybersecurity Analyst David Pickett contacted Bleeping Computer and told the computer self-help site that his company had observed Ako being distributed via spam email.
Using subject lines such as “Agreement 2020 #1775505,” the attack emails instructed recipients to open a password-protected .zip archive in order to view an agreement. That archive contained an executable named “agreement.scr” that installed the ransomware upon execution.
Bleeping Computer first covered Ako ransomware on January 10 after a victim posted on the website’s forums about a new ransomware strain that had encrypted their Windows 10 desktop and Windows SBS 2011 server.
SentinelLab’s Vitali Kremez analyzed the ransomware and found that it shared certain similarities with MedusaLocker, leading some to refer to the threat as “MedusaReborn.” But the malware authors who created the new crypto-malware strain denied any connection to MedusaLocker and said that Ako was their own product. Those individuals also confirmed that they stole data prior to Ako encrypting users’ files.
At the conclusion of its encryption routine, Ako dropped a ransom note informing victims that their “network have been locked [sic].”
Lawrence Abrams, creator and owner of Bleeping Computer, explains that Ako’s distribution method highlights the importance of organizations taking steps to defend themselves against malicious spam attachments. As quoted in his blog post:
As spam is being used to spread the Ako Ransomware, everyone must be is trained on how to properly identify malicious email and not open any attachments without first confirming who and why they were sent. This is especially true for email attachments that are in password-protected archives as they commonly used to avoid being detected by secure email gateways and antivirus software.
Organizations can begin this process by educating their employees about some of the most common types of phishing attacks in circulation today. They should complement this training by working to prevent a ransomware infection in the first place.