Staying on top of the latest in malware threats – including ransomware trends – is a big part of keeping your organization secure.
From a DLP perspective, guarding against ransomware is a big part of the value add provided. At ITsMine, we’ve seen a sharp increase in instances of the Ako ransomware strain, and if you’re not an ITsMine customer yet, it’s important to familiarize yourself with this threat.
What is Ako Ransomware?
Ako Ransomware gained global attention towards the end of 2019. It is a data-encrypting Trojan related to MedusaLocker. This similarity has led to some calling it “MedusaReborn”, even though the Ransomware creators, in a response to BleepingComputer, denied the connection.
One of the biggest dangers around Ako is that it infects and shuts down entire networks, rather than just individual workstations.
According to one of the original complainants – whose network had been infected – “it moved from the originally infected Windows 10 desktop (running Avast) to the Windows SBS 2011 Server”. The person also noted that the ransomware actually stopped Windows Defender and prevented it from starting again, that multiple files all over the server were encrypted, and perhaps most disturbing, “Defender, Avast, Trend Micro, ClamAV, and Spybt could not identify any infected files…”.
Once all files are encrypted by the ransomware, a .txt note appears on desktops with the ransom demand, which links to a Tor payments site and is usually in the region of between $2,000 and $10,000. Note that even if the ransom is paid, data has already been exfiltrated by the attackers.
How Ako Ransomware Spreads
At first, it was unclear how the Ako Ransomware was spreading. Initially, it was believed to be through hacked Remote Desktop services.
Now that further information has come to light, it has been confirmed that the spread is via spam or phishing emails. BleepingComputer reports how emails with subject lines such as “Agreement 2020 #1775505” are sent to users in an organization, along with a zipped file and a “password”. The body of the email contains simple text such as “Here is your agreement as requested”. The extracted archive contains an executable file, which is renamed “agreement.scr”. Once executed, the ransomware is installed.
The addition of password protection to the executable file is a clever move intended to assist the payload in evading common security tools such as gateway security programs and antivirus software.
Ako Ransomware: Keeping Yourself Protected
When it comes to Ako Ransomware – or indeed, malware of any kind – there are two major tools you have to keep yourself and your users protected: manual means, and technological means.
Manual means include such things as controls and permissions. Perhaps most important here, are awareness and education, which also happen to be the most difficult to execute. Essentially, users have to be taught not to open suspicious emails, and certainly not to open files included in these emails. They should be educated around the basics of phishing, and the dangers of such threats as ransomware.
Technological means include adding a Data Loss Prevention system like ITsMine’s Beyond DLP™️. With this technology on your side, you are automatically protected against both internal and external threats.
Uniqueness of ITsMine’s Ransomware Protection
In general, protection against ransomware today is done on the endpoint – starting with Microsoft Windows 10’s ransomware protection – and using a whitelist of processes whereby only they are capable of making changes to files on a computer. More advanced tools such as Crowdstrike enhance this process.
Then there are anti-virus solutions. Anti-virus solutions are less effective against ransomware since, being signature-based, it is hard to keep up with the rapidly changing nature of malware. Indeed, if the ransomware or malware is new, traditional anti-virus products will fail to identify it.
Further, in order for all of these “traditional” protections to work at all, it’s important to patch the system and servers with the latest versions – a challenging task.
Here’s the crux: to do all the above is incredibly important. However, all of this can only be done on managed machine – if it is an unmanaged machine or even an IoT device – it can be impossible to protect for more traditional systems.
This is where ITsMine comes in. ITsMine’s Beyond DLP is the only Data Loss Prevention solution to protect against ransomware as a last line of defense.
The solution can isolate managed or unmanaged devices when encrypting files on the file storage system (on-premise or in the cloud). It does this by tracking thousands of software mines (or sensors) in the file storage system – and if any device is encrypting data, changing data (as next-generation ransomware is increasingly doing) or detecting data, ITsMine’s Beyond DLP will isolate that device.
Installation is quick and easy, its unique architecture makes it affordable for businesses of all sizes, and most importantly it’s highly effective at keeping you protected.
To find out more about Ako Ransomware, to get the most effective DLP solution or to discuss your DLP needs, get in touch with us.