.png){kind=logo}
India has been pushed into the crosshairs of a resurgent Makop ransomware campaign. With new research showing the country accounts for over half of all known victims, the spike highlights a strategic shift by ransomware groups, as attackers increasingly exploit weak cyber hygiene and exposed systems in Indian organizations.
According to Acronis Research, almost 55 percent of those affected by Makop ransomware are based in India. This is not a random distribution; the attackers tend to target an environment that provides them quick access and minimal resistance, and the small and medium-sized enterprises in India are known for using poorly protected remote desktop services.
RDP systems, which are vulnerable to internet attacks with only weak passwords, make up a significant attack vector. This is particularly appealing for ransomware attackers to penetrate and enter a system rather than using a collective phishing method.
‘Makop’ first emerged in 2020 and is part of the Phobos ransomware family, known for its preparatory and intrusive activities. Once the attacker is present within the network environment, sensitive data is manually scanned for ransomware deployment.
What is interesting about the ongoing campaign is the way how Makop threat actors are optimizing their methods. This involves more stealthy behavior to improve the chances of successful execution, showing that traditional ransomware actors have not remained stagnant.
More Makop attacks involve an initial entry point of an exposed RDP server, driven by using automated malware tools targeting weak passwords or an already-compromised credential from previous breaches.
Once access is obtained, scans are done on the network, credentials are harvested using tools like Mimikatz, and security software is disabled before encryption occurs.
One of the interesting things here is the use of a Guloader, which is now associated with Makop malware for the first time. The malware does not immediately launch an attack, preferring to quietly linger until confirmation is received that the attackers have gained control of the system.
Also Read: What is Ransomware-as-a-Service (RaaS)? How Cybercrime Became a Business Model
According to cybersecurity specialists, Makop’s success is a reminder of how often ransomware can succeed through simple vulnerabilities. The best ways to protect remote access are to patch regularly, rely on behavior-driven endpoint protection, and keep backups offline.
These methods are ideal for keeping out sophisticated threats. Addressing the fundamental vulnerabilities can be enough to mitigate sophisticated attacks by itself.
