An attacker logged into the RDP Honeypot and quickly ran Ako Ransomware. The attacker had opened the Defender GUI to disable it--but a bot from the previous day had already disabled it. The attacker then dropped Locker.exe, ran it, and then logged off before the execution had completed. Locker.exe is also known as Ako and MedusaLocker Reborn. See info on Ako Ransomware, the timeline of the attack, the summary and IOCs below.
Post to Tumblr