LTS Secure Warning: ACKO Ransomware Strikes Organizations Network Using Spam Attachment

A new ransomware called ACKO has been spotted in the wild, being delivered to its victim as an attachment in spam mails. During the initial analysis of the ransomware, researchers found it to have some similarities the MedusaLocker, causing it to be referred as “MedusaReborn” for a while. Later, the authors of the ransomware denied these connections and claim it their own product.


Technical Details

Flow of ransomware infection:-

  • Upon execution, the ransomware finds and deletes the shadow volume copies along with any recent backups that might be present.
  • Next, it disables the windows recovery environment, before starting the encryption process.
  • During the encryption phase, a file maker CECAEFBE is added to the encrypted files.
  • The ransomware skips files with .exe, .dll, .ini, .lnk, .sys, .key, .rdp extensions.
  • Now, the ransomware starts looking for more connected machines on the network, looking to increase its impact radius.
  • Finally, a ransom note is dropped on the desktop titled “ako-readme.txt



  • Loss of Productivity.
  • Downtime in Business Critical operations.
  • Temporary or Permanent loss of Sensitive/Confidential data.


Recommended Actions

  • Take system back-ups on regular intervals.
  • Avoid Opening emails & attachments from unknown senders.
  • Regularly update your antivirus software & perform malware scans to protect against unknown threats.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.