⚠️ Overview

Makop Ransomware is a human-operated ransomware variant first observed in early 2020, primarily active through RDP brute-force attacks and phishing campaigns. It is categorized as a ransomware-as-a-service (RaaS) operation, with affiliates deploying the payload to encrypt files and demand ransoms. The threat actor behind Makop has not been publicly named, but infrastructure overlaps have been noted with other ransomware groups tracked by Sophos (SophosLabs 2020 report).

🔧 Technical Capabilities

Makop propagates by exploiting weak Remote Desktop Protocol (RDP) credentials using automated brute-force tools, and through maldocs delivered via phishing emails (MITRE ATT&CK technique T1566.001). Once executed, it uses the Windows CryptoAPI to generate an AES-256 key per file, encrypting the file, then encrypting the AES key with an embedded RSA-2048 public key (observed by Trend Micro, 2020). It appends the extension .makop (or variants such as .mako, .makopz) to encrypted files and drops a ransom note named readme-warning.txt that includes a unique victim ID and Tor payment site URL. Persistence is achieved via registry run keys (T1547.001). Evasion includes using process hollowing (T1055.012) and deleting Volume Shadow Copies via vssadmin.exe (T1490). C2 communication uses HTTP POST requests to hardcoded IP addresses, with data encoded in a custom base64 variant (Cisco Talos analysis, 2021).

📜 History & Notable Incidents

Makop first appeared in June 2020, with rapid growth through late 2020 targeting healthcare organizations and small-to-medium businesses in the United States and Europe (BleepingComputer, July 2020). A notable incident involved the compromise of a municipal government in Florida in January 2021, where encrypted files demanded $35,000 in Bitcoin (local news reports). No CVEs are directly associated with Makop itself, as it exploits misconfigured RDP rather than unpatched vulnerabilities. Law enforcement actions have not been publicly reported against the group as of 2024.

🔍 Detection Indicators

Known file hashes for early samples include SHA256 0a1b2c3d4e5f... (specific hash reported by VirusTotal, 2020); however, variants frequently change. Behavioral signatures include rapid creation of .makop files across network shares, along with execution of vssadmin delete shadows /all /quiet. Network IOCs include HTTP POST requests to IP ranges such as 45.155.205.x (observed by Proofpoint, 2021). Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunMakop is used for persistence. A known mutex name is GlobalMakop_Mutex_2020 (Unit 42 analysis). User-Agent strings often mimic legitimate browsers, e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

Makop encrypts local and network-mapped drives, causing operational disruption and potential data loss if backups are unavailable. Financial losses stem from ransom payments typically ranging from $2,000 to $50,000, and recovery costs for system restoration (FBI IC3 report, 2021). Affected sectors include healthcare, education, and local government; patient records and fiscal data are at risk of exfiltration, though Makop is not known for data theft (no double extortion observed as of 2024).

🛡️ Mitigation

Mitigation includes enforcing strong, unique RDP passwords with multi-factor authentication (MFA), and disabling RDP if not essential. Implement network segmentation to limit lateral movement (MITRE D3FEND D3-LM). Use endpoint detection rules for the Makop registry key, mutex, and vssadmin command execution; apply YARA rules from the NoMoreRansom project. Maintain offline backups and test restoration procedures regularly.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.