_Wavebreakmedia_Ltd_FUS1407_Alamy.jpg?#)
Ako Ransomware Abusing Windows API Calls To Detect Infected System Locations
Ako, commonly referred to as MedusaReborn, is a C++-based ransomware strain that has been active since January 2020. It functions under the Ransomware-as-a-Service (RaaS) business model, enabling several adversaries to utilize it in exchange for a portion of their earnings from successful attacks. In contrast to many ransomware strains that target individual workstations, Ako maximizes […] The post Ako Ransomware Abusing Windows API Calls To Detect Infected System Locations appeared first on Cyber Security News.
Ako, commonly referred to as MedusaReborn, is a C++-based ransomware strain that has been active since January 2020.
It functions under the Ransomware-as-a-Service (RaaS) business model, enabling several adversaries to utilize it in exchange for a portion of their earnings from successful attacks.
In contrast to many ransomware strains that target individual workstations, Ako maximizes its impact by targeting entire networks.
Many of its characteristics, such as its defensive nature and its strategic isolation of particular machines for encryption, make it a variation of MedusaLocker.
Researchers recently found that the Ako ransomware uses Windows API calls to do environment reconnaissance to identify the impacted system’s location.
Abusing Windows API Calls To Identify Location
The first step involves downloading to memory and saving to disk in separate scenarios to test network and endpoint controls and their capacity to prevent known harmful samples from being delivered.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Process injection is then carried out to allocate memory in an active process, writing shellcode to that memory space, and then using VirtualProtect to modify the memory protection setting.
It makes a language discovery of the system by executing the GetSystemDefaultLCID, GetLocaleInfoA, and GetUserDefaultLocaleName Windows API calls.
AttackIQ states that the attack phase involves utilizing vssadmin.exe to delete volume shadow copies and, in the event that this fails, Windows Management Instrumentation (WMI) commands.
If successful, it finds the network configuration, makes registry changes to allow access to mapped network drives, and uses Windows API calls to conduct network reconnaissance.
The next step involves finding disks, folders, and files to encrypt them using CBC mode, which combines RSA and AES-256.
The behaviors recorded by Hybrid-Analysis on September 25, 2024, and served as the basis for the evaluation template.
Attacks involving ransomware are best prevented and detected by EDR/AV Policies.
Hence, you can focus your teams on accomplishing important security outcomes, modify your security controls, and endeavor to increase the overall efficacy of your security program against a recognized and dangerous threat by using the information provided in this assessment.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
The post Ako Ransomware Abusing Windows API Calls To Detect Infected System Locations appeared first on Cyber Security News.
