Makop

Makop is a ransomware family first observed around 2020 and generally treated in the provided reporting as a variant or derivative of Phobos. It is described as a ransomware-as-a-service-style strain open to multiple threat actors and has also been characterized as similar to Dharma, Phobos, and Waiting. Makop primarily targets Windows environments and has repeatedly been associated with compromises of organizations through exposed Remote Desktop Protocol (RDP) services, typically using brute-force or dictionary attacks against weak or reused credentials; one report specifically observed use of NLBrute 1.2 for large-scale RDP password guessing. Reporting also notes a shift from earlier delivery via fake resumes or copyright-themed emails toward RDP-driven intrusions, and a later evolution in which GuLoader was observed delivering Makop payloads. Recent reporting further states Makop operators used BYOVD-based EDR-killer techniques and targeted RDP-exposed networks.

Observed Makop intrusion activity includes staging tools in locations such as \tsclient\ shares, user Music folders, Downloads, Desktop, Documents, or the root of C:, sometimes under subfolders such as "Bug" or "Exp." Observed encryptor filenames include bug_osn.exe, bug_hand.exe, 1bugbug.exe, bugbug.exe, taskmgr.exe, mc_osn.exe, and mc_hand.exe, including dot-prefixed variants. Operators were reported using NetScan, Advanced IP Scanner, Advanced Port Scanner, and Masscan for discovery and lateral movement; Mimikatz, LaZagne, and NetPass for credential access; CrackAccount and AccountRestore for brute-force access to additional accounts; and Defender Control and Disable Defender to disable Microsoft Defender. Makop operators also abused legitimate tools such as Process Hacker and IOBit Unlocker to terminate processes or remove software, and Process Hacker is specifically described as a favored tool of Makop operators. In some incidents, operators stopped the attack when their tooling was detected, or switched to VMProtect-packed variants and attempted to disable or uninstall security products. Acronis also reported tailored uninstall software used to remove Quick Heal AV.

Makop activity in the provided content includes privilege escalation and defense evasion through multiple Windows local privilege escalation exploits, including CVE-2016-0099, CVE-2017-0213, CVE-2018-8639, CVE-2019-1388, CVE-2020-0787, CVE-2020-0796, CVE-2020-1066, CVE-2021-41379, and CVE-2022-24521, with CVE-2017-0213, CVE-2018-8639, CVE-2021-41379, and CVE-2016-0099 appearing most frequently in telemetry. Operators also used BYOVD techniques with vulnerable drivers including hlpdrv.sys and ThrottleStop.sys to gain kernel-level access and potentially terminate EDR solutions.

Makop has been observed targeting multiple geographies and sectors opportunistically rather than with a strict regional focus. The content specifically mentions attacks against entities in India, Brazil, Germany, South Korea, and a New Jersey-based US water and wastewater facility. Acronis telemetry stated that 55% of observed Makop attacks targeted organizations in India. AhnLab reported Makop attacks against South Korean users via RDP. The content also notes Makop’s inclusion among ransomware variants associated with re-extortion behavior, and one report states Makop, Dharma, Phobos, and Waiting are similar RaaS variants often affecting very small businesses.

The Makop family has also spawned variants. The provided content identifies Ndm448 as a Makop-family ransomware strain targeting Windows systems, encrypting local and accessible network drives, appending a victim-specific .ndm448 extension, dropping ransom notes such as +README-WARNING+.txt, changing desktop wallpaper, claiming prior data exfiltration, and deleting Volume Shadow Copies via vssadmin.exe and wmic shadowcopy delete commands. More broadly, the content states that over 350 new ransomware strains discovered in 2025 were mostly based on MedusaLocker, Chaos, and Makop families.