The evolving landscape of cyber threats has seen ransomware mature from a nuisance into a highly sophisticated enterprise, with threat actors continuously refining their tactics to bypass modern security defenses. The Makop ransomware, a potent descendant of the Phobos malware family, has emerged as a significant global adversary since its initial detection in 2020. Its operators have honed a methodical attack chain that blends low-complexity entry methods with advanced post-compromise techniques designed to dismantle security infrastructure and maximize financial extortion. While its operational reach is global, with confirmed incidents in Brazil and Germany, recent analysis reveals a striking concentration of attacks in India, which accounts for a staggering 55 percent of all reported compromises. This strategic focus is underscored by the attackers’ use of specialized tools aimed at disabling security products that hold a significant market share in the region, demonstrating a calculated and adaptive approach to their campaigns.
The Attack Chain from Entry to Escalation
The initial intrusion vector for Makop ransomware attacks is consistently traced back to the exploitation of the Remote Desktop Protocol (RDP), a common yet often insecure access point for many organizations. Threat actors employ brute-force techniques, utilizing tools like NLBrute to systematically guess weak or reused credentials on internet-exposed systems. This straightforward method provides a reliable initial foothold, which serves as the launchpad for a multi-stage assault on the internal network. Once inside, the operators deploy a comprehensive toolkit for reconnaissance and enumeration. Network scanning utilities such as NetScan, Advanced IP Scanner, and Masscan are used to meticulously map the network infrastructure, discover connected devices, and identify high-value targets like servers and domain controllers. This mapping phase is critical, as it allows the attackers to plan their lateral movement and strategize the most effective path to achieve their ultimate objective of widespread data encryption.
Following a successful breach and initial reconnaissance, the attackers pivot to the critical phase of privilege escalation, a cornerstone of the Makop operational model. The primary objective is to transition from a low-privilege user account to one with administrative or system-level permissions, which are essential for disabling security solutions and deploying the encryption payload across the entire network. To ensure success, the ransomware group maintains a diverse and redundant collection of local privilege escalation (LPE) exploits. This strategy guarantees that if one vulnerability is patched or a particular exploit fails, they have multiple alternative pathways to elevate their access. Analysis of their campaigns reveals the exploitation of a wide array of Windows vulnerabilities, some of which date back several years. This continued success in targeting outdated flaws, such as CVE-2016-0099 and CVE-2018-8639, highlights a persistent challenge in corporate cybersecurity: the failure of many organizations to apply security updates in a timely and consistent manner, leaving them exposed to well-documented threats.
Weaponizing Legitimate System Components
What distinguishes Makop’s methodology from that of less sophisticated ransomware operations is its adept integration of the “Bring Your Own Vulnerable Driver” (BYOVD) technique. This advanced tactic involves the deployment of legitimate, digitally signed third-party drivers that contain known security vulnerabilities. By leveraging these trusted components, attackers can effectively bypass Windows Driver Signature Enforcement, a fundamental security feature designed to prevent the loading of untrusted kernel-mode code. Successfully executing this technique grants the attackers the ability to run their malicious code with the highest possible privileges within the operating system. This kernel-level access is particularly devastating as it allows them to directly interact with and terminate endpoint detection and response (EDR) solutions and antivirus (AV) software, which themselves operate at a high privilege level. The use of BYOVD reflects a sophisticated understanding of the Windows security architecture and presents a significant challenge for defenders, who must now contend with attacks originating from seemingly legitimate and trusted system components.
Further investigation into Makop campaigns has identified two specific drivers being actively weaponized in their attacks: hlpdrv.sys, a driver previously associated with other ransomware groups like MedusaLocker and Akira, and ThrottleStop.sys. The latter is a genuine driver developed by TechPowerUp for a widely used CPU monitoring utility. Attackers exploit a high-severity vulnerability within this driver, designated as CVE-2025-7771, to gain the ability to manipulate physical memory directly. This allows them to forcibly terminate security processes without triggering standard alerts or being blocked by process protection mechanisms. The choice of drivers and exploits is not random; it is part of a broader, targeted defense evasion strategy. This is further evidenced by the deployment of specialized uninstallers aimed specifically at Quick Heal Antivirus, a security product with a substantial market share in India. This direct correlation between their toolset and geographical targeting data confirms that Makop operators carefully select their methods to maximize their effectiveness against the specific defenses of their intended victims.
Evasion Tactics and Operational Evolution
To maintain a low profile and persist within a compromised network for as long as possible, Makop operators employ a variety of stealth and evasion techniques. They use deceptive file names for their malicious executables, choosing names like taskmgr.exe, bug_hand.exe, and mc_osn.exe to mimic legitimate Windows processes or appear as benign, unremarkable files to a casual observer. This simple but effective form of masquerading can delay detection by system administrators and automated security tools. Furthermore, the attackers strategically place their malicious payloads in non-standard but frequently used directories, such as network-mounted RDP shares, user music libraries, and desktop folders. This tactic helps the tools blend in with regular user activity and reduces their visibility to security monitoring solutions that may be configured to focus primarily on more traditional system directories like System32 or Program Files, thereby exploiting potential blind spots in an organization’s security posture.
The threat landscape in which Makop operates has continued to shift, and the group demonstrated a clear pattern of adaptation and evolution. Security analysts observed the integration of new capabilities into their attack arsenal, most notably the use of GuLoader. This well-known downloader malware is used to deliver secondary payloads, indicating that Makop operators adopted more sophisticated, multi-stage delivery mechanisms and polyglot techniques to enhance their operational success and resilience against detection. Their entire process, from the initial RDP brute-forcing and lateral movement to data exfiltration and the ultimate deployment of the encryption payload, was meticulously orchestrated. An interesting aspect of their strategy was their response to detection; if their activities were identified by security solutions during an attack, they would either attempt more advanced evasion techniques or, if they could not bypass the defenses, abandon the target altogether. This calculated approach to resource management underscored their efficiency and made Makop a highly resilient ransomware threat.
