Makop

Makop is a ransomware strain first observed around 2020 and generally treated as a variant of the Phobos ransomware family. It has also been described as linked to Crysis and Venus ransomware actors. Makop primarily targets organizations through exposed and insecure Remote Desktop Protocol (RDP) services, commonly using brute-force or dictionary attacks against weak or reused credentials; NLBrute v1.2 has been observed automating RDP password guessing. Recent reporting indicates victims in India, Brazil, Germany, and South Korea, with Acronis telemetry showing 55% of observed attacks in India, suggesting opportunistic targeting rather than strict geographic focus. Makop intrusions typically involve staging tools for network scanning, lateral movement, credential theft, privilege escalation, defense evasion, and then encryption. Operators have used NetScan, Advanced IP Scanner, Advanced Port Scanner, and Masscan for discovery and scanning; Mimikatz, LaZagne, and NetPass for credential access; and CrackAccount and AccountRestore for brute forcing additional accounts. Tooling is often dropped in network-mounted RDP shares such as \tsclient\, or in user-accessible directories including Music, Downloads, Desktop, Documents, or the root of C:. Staging subfolders such as "Bug" or "Exp." and encryptor filenames including bug_osn.exe, bug_hand.exe, 1bugbug.exe, bugbug.exe, taskmgr.exe, mc_osn.exe, mc_hand.exe, and dot-prefixed variants have been observed. Makop operators rely heavily on legitimate or dual-use tools for defense evasion. Process Hacker is commonly used by Makop operators, and IOBit Unlocker has also been abused to terminate processes and delete programs. Operators have used Defender Control and Disable Defender to disable Microsoft Defender, and in some cases tailored uninstall software was deployed to remove Quick Heal AV. Reporting also notes that attacks may be aborted if the operators' tooling is detected by the victim's security solution, and that they sometimes switch to VMProtect-packed variants of the same tools or attempt to disable or uninstall security software. Makop has been linked to bring-your-own-vulnerable-driver (BYOVD) activity to disable security products. Vulnerable drivers including hlpdrv.sys and ThrottleStop.sys/rwdrv.sys have been used in conjunction with Makop ransomware intrusions. Reporting states hlpdrv.sys can be registered as a service to gain kernel-level access and potentially terminate EDR solutions, while ThrottleStop.sys was used for physical memory access. Makop activity has also been associated with local privilege escalation exploits including CVE-2016-0099, CVE-2017-0213, CVE-2018-8639, CVE-2019-1388, CVE-2020-0787, CVE-2020-0796, CVE-2020-1066, CVE-2021-41379, and CVE-2022-24521, with CVE-2017-0213, CVE-2018-8639, CVE-2021-41379, and CVE-2016-0099 appearing most frequently in observed attacks. Makop has evolved beyond earlier delivery methods such as fake resumes or copyright-themed emails and has been observed using RDP as an entry point in South Korea. Acronis also reported the first documented case of Makop being distributed via GuLoader. Makop-family ransomware variants include Ndm448, which CYFIRMA assessed as belonging to the Makop family. Ndm448 targets Windows systems, encrypts local and accessible network drives, appends a victim-specific .ndm448 extension, drops ransom notes such as +README-WARNING+.txt, and exhibits indicators consistent with double-extortion, including claims of prior data theft and threats to leak or sell stolen data. Reported Ndm448 behaviors include deletion of Volume Shadow Copies via vssadmin.exe and wmic, directory traversal across user and system paths, and ATT&CK-mapped behaviors including process discovery, system information discovery, network share discovery, file deletion, and file and directory permissions modification.