This ransomware demands extra payment from infected users for not leaking stolen files online


AKO ransomware demands a second payment over and above the ransom for deleting stolen files

Who says crime doesn’t pay! Especially if you can change the endgame all together. Earlier, ransomware operated on a simple SOP. They infect and encrypt files – You Pay – they decrypt. All this changed when ransomware makers started claiming to steal data before encrypting the infected computer or network and then threatening to release the data if a victim does not pay.

However, nobody did that. Not until Maze Ransomware authors released the data online after the Allied Universal refused to pay the ransom. Since then ransomware makers have applied this modus operandi to extort from their victims.

Now the ransomware makers have evolved even further and applied this fine art of extortion to finesse. The new AKO ransomware now demands two ransoms. One for decrypting the victim’s data and the second one to delete the stolen files.

Ako ransomware

Ako follows a Ransomware-as-a-Service model to extort ransom. Ako targets businesses and companies instead of individuals. It uses emails as a propagation mechanism and quickly spreads across networks. The email contains an attachment which is a password protected zip file named ‘’. Upon the extraction of this zip file, ‘agreement.scr’ is dropped which is an executable file responsible for ransomware payload.

This ransomware is written in Microsoft Visual C/C++. Ako drops a ransom note ‘’ ako-readme.txt’ in every folder which contains an infected file. Along with the ransom note, it also drops an ‘id.key’ file. Through the ransom note, it informs the victims that their network has been locked. Like other ransomware, it doesn’t provide the victim with email id. Rather it provides them a link to a website that can be accessed through ‘Tor Browser’ and even guides them on how to download it.

Now Ako has changed its tactics. A new leak site created by the Ako makers indicates that some companies are required to pay both a ransom payment for the decryptor and a separate amount to delete stolen files. They have given an example of one of their victims and stated that they received a $350,000 payment for the decryptor, but released the files anyway after not receiving a payment to delete stolen files.

AKO ransomware demands a second payment over and above the ransom for deleting stolen files

Ako ransomware operators told BleepingComputer that this double-extortion tactic is only used on certain victims depending on the size of the company and the type of data that was stolen.

“Company with big revenue scared when we talk about stolen files. so its motivation for other companies what need pay”,

Ako operators

Ako ransomware can be removed by restoring the Windows PCs and Laptops to an earlier safe point. Companies and businesses have no other alternative but to pay both the ransoms as their sensitive information may be leaked by the Ako makers. You can follow the entire procedure for removal of Ako ransomware here.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments