Article
AKO Ransomware – Analysis
Arete Analysis
Summary
Since January 2020, Arete’s Incident Response (IR) team has responded to various AKO ransomware engagements against organizations in the finance, healthcare, and manufacturing sectors. Below we share observations on AKO’s ransom demands, initial access vectors, and operating model, as well as recommendations to protect against cyber threats like AKO.
—————————————————————————
Statistical Data on AKO ransomware from Arete’s metrics
The information listed below is based on AKO cases investigated by Arete IR since January 2020. Our IR and Data Analytics practices work together to track key data points for every ransomware engagement. Our IR practice tracks data points on the ransomware variant and collects statistics based on handled engagements:
Arete has responded to AKO cases since January 2020 in the Finance, Healthcare, and Manufacturing sectors
The average ransom demand is 8 BTC
The maximum ransom demand paid in US dollars has been $150,000
The minimum ransom demand paid in US dollars has been $2,000
Data exfiltration was observed in incidents involving the Healthcare sector
The major infection vector has been Remote Access (RDP) at 67% of the time
Background
AKO ransomware has been around since at least January 2020 and is distributed via a ransomware-as-a-service (RaaS), which mirrors the software-as-a-service (SaaS) model offered by legitimate vendors. Like SaaS, RaaS is offered via cloud-based sub- scription models for a subscription fee and several RaaS groups use a partner, or franchise-like, structure. This structure is where the RaaS operator keeps a percentage of commission from every victim infected through their partners and pays the rest of the extorted funds to the partner or “franchise owner.” What makes the RaaS model so appealing and lucrative is they are specifically built to be easy to use and deploy. Typically, RaaS variants employ a portal where the partner only needs to download the ransom- ware, with no development or coding skills required. Most RaaS models even provide a fully staffed technical and customer support service, like you would find with a legitimate SaaS offering. The support is meant to help the franchise owner or partner get off the ground with their ransomware campaign.
There are various blogs 1-2 that have been written on AKO ransomware, so we will not go into detail in this section. In some of these reports, the malware was observed encrypting files on Windows systems and adding a .m9V742 files extension, Windows Defender is stopped, and the registry modified to prevent the antivirus software from starting again. Some antivirus tools detect the malware as MedusaLocker or MedusaReborn, but the AKO ransomware operators deny association with MedusaLocker and say that AKO is their own product. The threat actors also confirmed that it is part of their job to steal data from the compromised networks.
At the time of this writing, no known free decryptors for this ransomware variant were available.
Recommendations
Install an Endpoint Detection and Response solution with the capability to halt detected processes and isolate systems on the network, based on identified conditions
Block any known attacker C2s in the firewall
Implement a system enforced password policy to force users into changing passwords at least every 90 days
Implement multifactor authentication on RDP and VPN access
If not needed, eliminate vulnerable RDP ports exposed to the internet
Block a high number of SMB connection attempts from one system to others in the network over a short period of time
Perform dark web monitoring periodically to verify if data from the organization is available for sale in the black market
Perform penetration tests
Periodically patch systems and update tools
Monitor connections to the network from suspicious locations
Monitor downloads & uploads of files to file sharing services over non-standard hours, not commonly used in the organization
Monitor uploads of files from domain controllers to the internet
Monitor network scans from uncommon servers (e.g. RDP server)
Sources
Back to Blog Posts
Article
Arete's 2026 Q1 Crimeware Report
Harness Arete’s unique data and expertise on extortion and ransomware to inform your response to the evolving threat landscape.
Article
CMS Vulnerability Leads to ClickFix Campaign
Threat actors compromised at least 700 education and technology websites in a recent ClickFix campaign by exploiting a critical SQL injection flaw (CVE-2026-26980) in the Ghost content management system (CMS). Adversaries combined the vulnerability with the ClickFix social engineering tactic to steal admin keys and inject a malicious JavaScript that delivers a fake Cloudflare or CAPTCHA verification pop-up, tricking victims into copying and pasting a malicious command into their systems.
What’s Notable and Unique
Rather than targeting the end user first, this campaign is unique in its initial exploitation of the system, followed by social engineering attempts. This hybrid attack style is likely being leveraged to bypass traditional defenses.
This recent campaign also highlights how trusted web properties can be weaponized at scale and coupled with unpatched CMS vulnerabilities. Rather than using the CMS compromise to perpetrate a single attack, threat actors turned it into a supply-chain attack that ultimately affected over 700 trusted websites.
Analyst Comments
As network defenders and their tools enhance threat detection capabilities, adversaries increasingly seek methods to bypass these defenses. By combining vulnerability exploitation, social engineering techniques, and staging for ancillary attacks, this campaign successfully bypassed traditional defenses and inflicted significant impact. Defending against hybrid cyberattacks requires comprehensive security controls beyond simply patching vulnerabilities. Organizations should focus on limiting movement within the environment, detecting abuse of trusted applications, and preventing end-user manipulation.
Sources
700+ education and tech websites hijacked in huge ClickFix malware campaign
Under the engineering hood: Why Malwarebytes chose WordPress as its CMS
Think before you Click(Fix): Analyzing the ClickFix social engineering technique
Ghost CMS Vulnerability Exploited to Infect 700 Sites With ClickFix Malware
Article
Threat Actors Leverage Fake JPEG Files for Initial Access
In a recent campaign, researchers observed threat actors using fake JPEG image files as a delivery mechanism to initiate the deployment of additional malicious components. The false JPEG files are typically distributed via phishing emails or other social engineering-based lures, and are actually PowerShell-based malware that deploys a trojanized version of ConnectWise ScreenConnect to establish and maintain persistence in the compromised environment.
What’s Notable and Unique
This campaign leverages JPEG images as the initial lure, where the images are not merely decoys but part of the infection workflow. Victims are typically led to download or open an image that triggers hidden execution logic or redirects them to a payload-delivery sequence that initiates later stages of the intrusion chain.
The attack chain is designed to blend into legitimate environments, making detection more difficult. Execution typically relies on scripted or native Windows components, often including PowerShell or other living-off-the-land binaries, enabling fileless or near-fileless execution and reducing forensic artifacts on disk.
The multistage design ensures that the initial JPEG does not directly contain the full payload but instead triggers retrieval or decryption steps that progressively assemble the final malicious components in memory.
Analyst Comments
This campaign illustrates how threat actors continue to blur the line between legitimate file handling and malicious execution chains, indicating potential overlap with remote management or administrative tooling. The use of JPEG-based staging combined with script-based execution reflects a broader evolution toward a stealth-first intrusion design, in which file formats serve as triggers rather than payload containers.
Sources
OPERATION SILENTCANVAS : JPEG BASED MULTISTAGE POWERSHELL INTRUSION
Podcast
Cyber Risk and Insurance for Law Firms
In this episode of Bytes of Insight, host Vinny Sakore is joined by Laura Zaroski, Managing Director of the Law Firms Group at Gallagher, as they discuss the evolution of cyber risk for law firms. Tune in for firsthand insights on how to select the right cyber policy, the incident response process, and the nuances of ransom payments and sensitive data.