Menu
Browse

Cyber Threat Actor: AKO

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
1 incident
Profile

AKO is a ransomware group known by that alias and is reported to operate from Russia. The actors employ a double extortion model in which they first exfiltrate sensitive data from a victim’s network and then deploy ransomware to encrypt systems. They maintain a Tor‑based leak site where they publish samples of stolen data to pressure victims into paying both a decryption fee and a separate fee for the deletion of the exfiltrated files. Publicly attributed activity shows that AKO targets organizations across multiple sectors, including healthcare providers, private businesses, and educational institutions, with victims located both inside and outside the United States. Their strategic objective appears to be financial gain, as evidenced by ransom demands that reach hundreds of thousands of dollars and the explicit threat to release or sell stolen information if payment is not received.

The group's tactics involve the use of Ako ransomware to lock victim systems after data has been copied. Exfiltrated material is typically comprised of unencrypted files such as PDFs and scanned documents, which may contain personal health information, financial records, and other sensitive corporate data. AKO has been observed posting unredacted screenshots of stolen content on their leak site to demonstrate the seriousness of their threats. In the notable incident affecting a Massachusetts‑based pain management practice in May 2020, the attackers exfiltrated over four gigabytes of data, including patient names, diagnoses, Social Security numbers, insurance details, billing records, and copies of checks, and they demanded a $350,000 payment for decryption while threatening further leaks if a deletion fee was not paid.

While AKO aligns with the broader Maze ransomware model—adopting the naming and data‑dumping approach used by groups such as DoppelPaymer, Nefilim, and REvil—no public sources have linked the group to a state sponsor or a specific criminal consortium. The available information describes them as financially motivated cybercriminals who rely on ransomware and data leak sites to monetize intrusions, without any indication of espionage or disruptive objectives beyond monetary extortion.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source