Makop

Makop is a human-operated ransomware actor active since 2020 and generally treated as a Phobos-derived ransomware family/variant. The group has targeted organizations in Europe and Italy, and observed victim telemetry also shows attacks against entities in India, Brazil, Germany, and South Korea. Reporting describes Makop as largely opportunistic rather than tightly region-focused. Known related strains include Ndm448, which is assessed as part of the Makop ransomware family and has been associated with double-extortion behavior. Makop commonly gains initial access through exposed and insecure RDP services, including brute-force and dictionary attacks against weak or reused credentials, and has also been described as using exposed remote administration services and internet-facing vulnerabilities. Recent reporting notes a shift in South Korea from earlier lure-based delivery such as fake resumes or copyright-themed emails to RDP-based intrusion. Acronis also observed GuLoader used to deliver Makop payloads, described as the first documented case of Makop being distributed via a loader. Operations are hands-on-keyboard and typically involve staging tools for discovery, lateral movement, credential theft, privilege escalation, defense evasion, persistence, and then encryption. Makop has used custom .NET tools including ARestore, which generates and tests local Windows credential combinations, and PuffedUp, a persistence utility that establishes a Windows RUN registry key and reads configuration data associated with clipboard activity. The group also uses numerous legitimate or dual-use tools, including PsExec, PuTTY, Mimikatz, LaZagne, NetPass, NetScan, Advanced IP Scanner, Advanced Port Scanner, Masscan, Everything, Process Hacker, IOBit Unlocker, Defender Control, Disable Defender, and YDArk. Process Hacker is specifically noted as a favored tool of Makop operators. Makop has used BYOVD techniques and vulnerable drivers including hlpdrv.sys and ThrottleStop.sys/rwdrv.sys to gain kernel-level access and potentially terminate EDR or other security products. Reporting also notes these drivers have been used in Makop intrusions alongside other ransomware operations. The group has abused legitimate applications to kill processes and remove software, and in some cases deployed tailored uninstallers to remove Quick Heal AV. Makop operators have also exploited multiple Windows local privilege escalation vulnerabilities, including CVE-2016-0099, CVE-2017-0213, CVE-2018-8639, CVE-2019-1388, CVE-2020-0787, CVE-2020-0796, CVE-2020-1066, CVE-2021-41379, and CVE-2022-24521. Makop ransomware encryptors have been observed under filenames such as bug_osn.exe, bug_hand.exe, 1bugbug.exe, bugbug.exe, taskmgr.exe, mc_osn.exe, and mc_hand.exe. Associated family behavior includes encryption of local and accessible network drives, deletion of Volume Shadow Copies, and in the case of Ndm448, ransom notes claiming prior data theft and threatening disclosure or sale of stolen data. Makop has also been described in one report as having links to Crysis and Venus ransomware actors, but the provided content does not further substantiate the nature of that relationship.