Dissection Of Makop Ransomware Group

Dissection Of Makop Ransomware Group
February 5, 2024 7 mins

Dissection Of Makop Ransomware Group

This blog post outlines attack patterns identified across Makop ransomware incidents and explores the ransomware executable used by Makop affiliates.

Stroz Friedberg has investigated multiple incidents involving Makop ransomware within the past few months. This type of ransomware is an offshoot of the established Phobos ransomware which has been around for several years and operates under an affiliate structure. The following blog post outlines attack patterns identified across Makop ransomware incidents and explores the ransomware executable used by Makop affiliates.

History of Makop

Makop ransomware was originally advertised on a dark web forum in January 2020 by an individual using the handle ‘Makop’. This actor announced the launch of Makop’s Ransomware-as-a-Service (“RaaS”) program and expressed the need for affiliates across popular hacking forums such as Exploit, XSS, Blackhacker, WWH-Club, Dublikat, Migalki, Tenec, and Rutor. Notable features advertised by Makop to affiliates include:

  • Affiliates may choose the filename extension of encrypted files. (i.e., “.makop”, “.mkp”, or others)
  • The ransomware creates a unique ID for each encrypted system in a corporate network.
  • Affiliates may choose a custom ransom amount.

Recently, Stroz Friedberg has not observed any activities by the individual ‘Makop’ or instances of Makop services being advertised within dark net forums. Without an identified leak site for the group, it is difficult to determine the breadth of activity attributed to the group or an accurate estimate of the impact on its victim organizations.

Initial Access

In Stroz Friedberg’s investigations, Makop affiliates primarily used internet-exposed systems with external Remote Desktop Protocol (“RDP”) enabled to gain initial access to victim organizations. The threat actor leveraged usernames from the RDP login page to perform password brute force attacks against RDP services.

Land and Expand

Once on the network, Makop affiliates use the following mixture of custom and off-the-shelf tools to conduct their operations:

  • PowerShell: download and execute a batch script on the impacted system
  • NS.exe: scan the network and search for shared folders
  • Everything.exe: search filenames or create file listing
  • Mouselock.exe: block mouse inputs
  • NLBrute.exe: brute-force RDP
  • Batch scripts: disable and delete Volume Shadow Copies
  • RDP: move laterally through the environment

Data Exfiltration

Stroz Friedberg has not observed Makop affiliates exfiltrating victim data and, as of January 2024, the group does not appear to operate a leak site. The group’s ransom note provides an email address for communication and threatens victims regarding loss of data if they choose to forgo negotiations for the decryption key.

Encryption

Stroz Friedberg identified multiple executables of Makop ransomware. One of these samples was an encryptor executable with a built-in GUI that Stroz Friedberg identified on VirusTotal. This sample decrypts strings during runtime to make static analysis difficult. That includes library names, API names, strings used to perform operations during execution, and strings that make up the ransomware note.

Dissection Of Makop Ransomware Group

Example of Makop Ransomware GUI

Using the GUI, the threat actor can select a specific folder or entire system to encrypt. The encryptor generates an 8-character, system-specific identification number and appends it to the filename. This ID is derived from Windows Product ID and Volume Serial Number. The following options are available with the GUI:

  • Quick: Expedites the encryption process by encrypting only the first 40K bytes of the target file.
  • Net: Targets network shares for encryption.
  • Delete: Deletes the encryptor executable from the execution directory, if selected.

The sample contains a hard-coded private key, 28 8A 2C FE 3F 75 C4 47 A5 21 C4 5C 33 39 E2 64 2B 34 0F 08 D2 37 2A 97 0D 83 A4 D8 B8 01 92 2E, used to decrypt the malware’s strings at runtime. These strings contain the URL, process names, commands, and strings displayed on the GUI.

After initializing keys, malware reads the target file and uses the ‘CryptEncrypt’ API to encrypt the file using the AES256 algorithm.

Upon successful encryption of the file, the encryptor renames the file in the following format:

File_Name.Extension.[8-Character_ID].[Email_Address].mkp

The Makop sample examined by Stroz Friedberg terminates specific process names, including but not limited to:

  • armsvc.exe
  • IntelCpHDCPSvc.exe
  • IPROSetMonitor.exe
  • msftesql.exe
  • OfficeClickToRun.exe
  • postgres.exe
  • sqlbrowser.exe
  • vds.exe

Additionally, the encryptor sample excludes following file extensions, paths, and specific files during encryption process:

  • *.dll
  • *.exe
  • *.mkp
  • +README-WARNING+.txt
  • boot.ini
  • bootfont.bin
  • desktop.ini
  • io.sys
  • ntdetect.com
  • ntldr
  • *\regedit.exe
  • *System32*
  • *Users\Public*
  • *windows*
  • *Winnt*

The encryptor decrypts the ransom note and filename during runtime and drops +README-WARNING+.txt ransom note file in the impacted directories. The ransom note created by this sample contains instructions for contacting the threat actors via two email addresses: datastore@cyberfear[.]com and back2up@swismail[.]com.

Dissection Of Makop Ransomware Group

Example of Makop Ransomware Note

It is a common ransomware functionality to delete Volume Shadow Copies to make data recovery difficult. The sample uses following commands to delete Volume Shadow Copies:

  • vssadmin delete shadows /all /quiet
  • wbadmin delete catalog -quiet
  • wmic shadowcopy delete
  • exit/

After encryption is complete, the malware sample sends a request to https://iplogger[.]com/1FcbD4. IPLogger is an IP address location tracking service. The threat actor can create a tracker URL and when the malware sample connects to the URL, IPLogger tracks and logs the location of the infected device. At the time of analysis, the identified tracker URL was blacklisted by IPLogger.

Dissection Of Makop Ransomware Group

Wallpaper bitmap used by Makop ransomware

The malware creates a bitmap image shown above and saves it as C:\Users\{username}\AppData\Local\temp\[A-Z0-7]{4}.bmp. This bitmap image is set to the system’s wallpaper, completing the malware execution.

Links to other ransomware families

Makop shares several similarities with other offshoots of Phobos ransomware and is commonly misdetected as “Phobos” by anti-virus solutions. Stroz Friedberg has identified other encryptors for strains such as Faust ransomware, another offshoot of Phobos, using a similar naming convention for encrypted files:

File_Name.Extension.[8-Character_ID].[Email_Address].Ransomware_Extension

IOCs

The following indicators were identified in Stroz Friedberg’s analysis of Makop ransomware matters:

Indicator Type Note
mc_hand.exe File Ransomware executable
f43b86ff363f19f26cc7d80aa64fa0894a264a736ae0abd013d98e344637e4d8 SHA256 hash Hash of ransomware executable
iplogger[.]com Domain Domain accessed by ransomware executable
datastore@cyberfear[.]com Email Threat actor email address
back2up@swismail[.]com Email Threat actor email address
[A-Z0-7]{4}.bmp File Wallpaper created by ransomware executable
2a2e38baa980683375ecd6706fc7eb057bd6ee0eb6d00a3fc3a3facbe8786a62 SHA256 hash Hash of ransomware wallpaper
+README-WARNING+.txt File Ransomware note
dd62f39b01cf2120c9e21add9e80396b44704d3d9e5499de2ef26fa5824c10bb SHA256 hash Hash of ransomware note
Aon’s Thought Leader
  • Aishwarya Desai
    DFIR

Contributors: Zachary Reichert, Josh Pivirotto

While care has been taken in the preparation of this material and some of the information contained within it has been obtained from sources that Stroz Friedberg believes to be reliable (including third-party sources), Stroz Friedberg does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article and accepts no liability for any loss incurred in any way whatsoever by any person or organization who may rely upon it. It is for informational purposes only. You should consult with your own professional advisors or IT specialists before implementing any recommendation or following the guidance provided herein. Further, we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. Further, this article has been compiled using information available to us up to 02/05/24.

About Cyber Solutions:

Cyber security services are offered by Stroz Friedberg Inc., its subsidiaries and affiliates. Stroz Friedberg is part of Aon’s Cyber Solutions which offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Aon Insights Series Asia

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series Pacific

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series UK

Expert Views on Today's Risk Capital and Human Capital Issues

Client Trends 2025

Better Decisions Across Interconnected Risk and People Issues.

Construction and Infrastructure

The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.

Cyber Labs

Stay in the loop on today's most pressing cyber security matters.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Human Capital Quarterly Insights Briefs

Read our collection of human capital articles that explore in depth hot topics for HR and risk professionals, including using data and analytics to measure total rewards programs, how HR and finance can better partner and the impact AI will have on the workforce.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Natural Resources and Energy Transition

The challenges in adopting renewable energy are changing with technological advancements, increasing market competition and numerous financial support mechanisms. Learn how your organization can benefit from our renewables solutions. 

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Pay Transparency and Equity

Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.

Property Risk Management

Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Transaction Solutions Global Claims Study

Better Decisions Across Interconnected Risk and People Issues.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More Like This

View All
View All
Subscribe CTA Banner