It has been reported that Makop ransomware is actively targeting organisations including critical sectors. Makop ransomware encrypts the files on the victim's systems and asks for ransom payment in bitcoin.
Makop is an offshoot of the PHOBOS ransomware variant and operates under an affiliate structure.
Infection Mechanism
Makop Ransomware leverages different techniques to enter organizations' networks and inject the payload. The most common attack vectors include the exploitation of internet-exposed systems having exposed unsecured RDP services, phishing emails carrying malicious attachments (often using unusual file extensions to bypass email scans), torrent websites, malicious advertisements etc.
After gaining an initial foothold in the victim's network, the Makop ransomware group has been observed utilizing a suite of custom-developed tools and off-the-shelf tools to carry out their threat activities.
PowerShell: Downloads and executes a batch script on the impacted systems
- NS.exe: Scan the network and search for shared folders
- Everything.exe: Search filenames or create file listing
- Mouselock.exe: Block mouse inputs
- NLBrute.exe: Brute-force RDP credentials
- Batch scripts: To disable and delete Volume Shadow Copies
- RDP: Move laterally through the environment
- mc_hand.exe : Ransomware executable
The threat group is also known to leverage PuTTY, Mimikatz, YDArk, Advanced Port Scanner and PsExec to perform the attacks.
Makop Ransomware uses AES-256 algorithm for encrypting files and typically adds the ".makop" or ".mkp" extension to the encrypted files.
Indicator of Compromise (IOCs):
For the detailed IOCs, kindly click Indicators of Compromise
Best Practices and Recommendations:
- Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, and have irretrievable data.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure.
- Implement all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords.
- Implement multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Remove unnecessary access to administrative shares.
- Consider restricting/disabling command-line and scripting activities and permissions.
- Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
- Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.
- Disable remote Desktop Connections, employ least-privileged accounts. Limit users who can log in using Remote Desktop, set an account lockout policy. Ensure proper RDP logging and configuration.