AKO is a ransomware family active from at least January 2020. The provided content describes it as a double-extortion operation that initially targeted corporate networks with exposed RDP services, encrypting victim data while also stealing files and demanding an additional payment to delete the stolen data. If victims do not pay, AKO publishes the data on its "Data Leak Blog" leak site. AKO is also discussed alongside MEDUSALOCKER, ThunderX, AVADDON, and RANZY in comparative technical analysis, where it is described as a C++ ransomware family using AES-256-CBC for symmetric encryption and RSA for asymmetric encryption, with a unique encryption key generated per file. It is reported to append the file signature value 0xBEEFCACE in an end-of-file structure. The content further states that AKO shares code and functional similarities with MEDUSALOCKER-related families, uses ICMP-based network discovery, and deletes backups/shadow copies using Windows utilities such as wbadmin, bcdedit.exe, and vssadmin.exe, while also emptying the Recycle Bin. Mandiant analyzed AKO as a MEDUSALOCKER variant, and the content notes that AKO and RANZY reportedly used the same Tor onion shaming site: 7rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd[.]onion. Additional context indicates AKO-related infrastructure appeared in BraZZZerS fast-flux/proxy logs among multiple malware families, but no AKO-specific indicators beyond that mention are provided.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 distinct techniques documented for this family, organized by ATT&CK tactic.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware family listed among BraZZZers clients observed in the logs.
Human-operated ransomware targeting corporate networks (notably via exposed RDP), using double-extortion (encrypt + steal data) and publishing stolen data on a leak site if unpaid.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.