Makop ransomware is a variant of the notorious PHOBOS ransomware family. It is known for its ability to bypass traditional security measures through innovative obfuscation techniques. First observed in 2020, this malware has infected numerous systems, encrypting critical data and holding it for ransom.
Let’s examine Makop, its key characteristics, infection vectors, and the steps organizations can take to mitigate the risk of becoming victims to this formidable adversary.
Makop ransomware overview
Makop ransomware emerged in January 2020 when an actor using the handle ‘Makop’ advertised it on dark web forums. The malware was introduced as a Ransomware-as-a-Service (RaaS) operation, and the original creator actively recruited affiliates across major hacking forums, including Exploit, XSS, Blackhacker, WWH-Club, and others. However, by 2024, the original ‘Makop’ actor’s presence had diminished, though the ransomware continues to operate through its affiliate network.
Business model
Makop takes a unique approach by focusing solely on encryption without implementing double-extortion tactics. The group doesn’t maintain a leak site or engage in data exfiltration, which sets it apart from current trends in ransomware operations. Instead, they rely on direct communication through email and sometimes utilize the Tox P2P messaging protocol for ransom negotiations.
Technical infrastructure
The ransomware employs a sophisticated technical setup that includes several distinctive features. Each infection generates a unique system identifier, and affiliates can customize various parameters, including file extensions and ransom amounts. The malware uses IPLogger, an IP address location tracking service, to track infected systems and implements mutex mechanisms to prevent multiple infections of the same system. This infrastructure allows for highly customizable attacks while maintaining operational control.
How to identify the Makop ransomware
Indicators of compromise (IOCs) are forensic data that can help identify malicious activity or malware associated with a cyber attack. It includes the encryption extension, file hashes, and IP addresses, among other details cyber criminals leave as they infect a machine or system.Â
If you can’t identify the ransomware strain through its IOCs, you can use Proven Data’s free ransomware ID tool to check if the Makop ransomware encrypts your files.
Important: Some of these indicators require technical knowledge of the infected system, so you may need to contact your IT team or a digital forensics service provider.
Makop ransomware main IOCs
File extensions
Makop encrypts files and appends the “.makop” extension to the filenames. For example, a file named “document.docx” would be encrypted and renamed to “document.docx.[RANDOM_ID].[EMAIL_ADDRESS].makop” or even a simpler “.[RANDOM_ID].makop. However, affiliates can change this extension.
Ransom note
Makop leaves a text file named “readme-warning.txt” on the desktop and in each compromised folder. This ransom note contains instructions for contacting the attackers and paying the ransom.
Process Termination
Makop terminates specific processes related to databases, productivity applications, and other programs to prevent interference with the encryption process.
Registry Persistence
Makop adds a registry entry in the “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” key to ensure its persistence on system startup.
How Makop ransomware works - Tactics, Techniques, and Procedures (TTPs)
Understanding how ransomware infects systems and machines is critical for individuals and organizations to take immediate action during an attack. These are also known as the Tactics, Techniques, and Procedures (TTPs) to prevent attacks.
1. Initial access
Makop affiliates primarily target organizations through exposed Remote Desktop Protocol (RDP) services. Their typical attack pattern begins with harvesting usernames from RDP login pages and systematic brute-force attacks on passwords.
2. Post-compromise activities
Once inside a network, Makop operators deploy a precise set of tools for lateral movement and encryption preparation. These include:
- PowerShell scripts for initial payload execution
- Network scanning tools (NS.exe) to identify potential targets
- File search utilities (Everything.exe) for identifying valuable data
- Input blocking tools (Mouselock.exe) to prevent user intervention
- Additional RDP brute-force tools (NLBrute.exe) for internal movement
- Custom batch scripts designed to disable and delete Volume Shadow Copies
3. Encryption process
The ransomware’s encryption mechanism is particularly sophisticated, utilizing AES256 encryption with a unique naming convention for encrypted files.Â
The format follows:Â
Original_name.extension.[8-Character_ID].[Email_Address].mkpÂ
A notable feature is the GUI-based encryptor that offers various options:
- Quick encryption mode that only encrypts the first 40KB of files
- Network share targeting capabilities
- Self-deletion functionality to cover tracks
- System-specific ID generation based on Windows Product ID and Volume Serial Number
4. Defense evasion and persistence
Makop demonstrates considerable effort in maintaining persistence and evading detection. As part of its infection process, the ransomware modifies registry entries, creates custom system identifiers, and changes system wallpapers. It carefully avoids encrypting certain system directories and file types to ensure system stability and prevent detection.
The ransomware is programmed to avoid encrypting Windows system folders and specific file extensions like .exe and .dll. Interestingly, it also skips files with extensions associated with other ransomware infections, suggesting a level of awareness of competing malware operations.
How to handle a Makop ransomware attack
It is important to note that handling a ransomware attack can be complex and require expertise. Therefore, it is recommended that you seek professional help from a reputable data recovery service, such as Proven Data, to recover your data and remove the ransomware from your system.
You can also report the attack to law enforcement agencies, such as the FBI and cybersecurity organizations, to help prevent future attacks and catch the perpetrators.
We strongly recommend contacting cybersecurity services to handle ransomware attacks. Proven Data technicians not only retrieve ransomware-encrypted data but also create forensic reports and streamline incident response, minimizing your business downtime and financial loss.
How to mitigate the impact of a Makop attack
Makop ransomware has significantly impacted various industries, causing widespread disruption and financial losses. Organizations can mitigate the risk of a Makop attack by implementing a layered security approach:
- Network Security:
- Segment networks to limit lateral movement
- Implement strong access controls, including robust password policies and multi-factor authentication
- Regularly patch and update network devices
- Monitor network traffic for anomalies and suspicious activity
- Endpoint Security:
- Deploy robust endpoint detection and response (EDR) solutions
- Implement regular vulnerability scanning and patching
- Use advanced threat protection (ATP) solutions to detect and prevent advanced attacks
- Enforce strict security policies, such as limiting administrative privileges
- Data Protection:
- Implement regular, tested backup and recovery procedures
- Store backup copies offline or in a secure, off-site location
- Regularly update and patch backup software
- Enforce a robust data protection strategy, including data encryption and access controls