Close Menu
Cybercrime and Ransomware

Makop Ransomware: Exploiting RDP with AV-Killer and More

Staff WriterBy No Comments4 Mins Read6 Views

Essential Insights

  1. Makop ransomware, part of the Phobos family since 2020, persists as a major threat, primarily targeting Indian companies through RDP brute-force attacks combined with privilege escalation and bypass tools.
  2. Attackers leverage off-the-shelf vulnerabilities, legitimate signed drivers (e.g., hlpdrv.sys, ThrottleStop.sys), and various exploits to gain system-level access, evade detection, and conduct lateral movement.
  3. The attack sequence involves initial RDP compromise, network enumeration, privilege escalation using multiple CVEs, and deploying secondary payloads like GuLoader to enhance payload delivery and persistence.
  4. Makop operators adapt regionally, employ sophisticated evasion tactics such as deceptive file names, and target core Windows components, emphasizing the evolving complexity and resilience in their methods.

What’s the Problem?

Makop ransomware, a malicious strain first observed in 2020 as part of the Phobos malware family, has continued to evolve into a formidable threat targeting organizations worldwide. Attackers employ a structured approach, starting with brute-force Remote Desktop Protocol (RDP) attacks, often using tools like NLBrute to crack weak credentials. Once inside, they deploy a sophisticated toolkit that includes privilege escalation exploits, network scanners, and malware delivery methods, such as GuLoader for secondary payloads. The attackers prefer low-complexity, high-impact techniques, leveraging publicly known vulnerabilities and off-the-shelf tools to minimize detection and maximize their success. Regions like India are most frequently targeted, accounting for 55% of incidents, with attackers strategically using deception tactics such as file name camouflage and exploiting legitimate drivers like hlpdrv.sys and ThrottleStop.sys to bypass security defenses. Reports from security analysts at Acronis highlight how threat actors continually adapt, integrating advanced evasion techniques and exploiting a range of vulnerabilities—particularly older ones—to maintain persistence and escalate privileges. This ongoing sophistication, combined with regional adaptations such as targeting antivirus solutions like Quick Heal, illustrates how Makop operators persistently refine their methods, posing a significant challenge to cybersecurity defenses across the globe.

What’s at Stake?

The ‘Makop Ransomware Exploits RDP Systems with AV Killer and Other Exploits’ is a serious cyber threat that can strike any business relying on Remote Desktop Protocol (RDP) access. If hackers gain unauthorized entry, they can deploy ransomware that locks critical files and demands payment, causing severe operational shutdowns. Moreover, Makop often uses tools like AV killers to disable antivirus software, making it harder to detect and stop. Consequently, this breach leads to data theft, financial loss, and damage to your company’s reputation. Without proper security measures, your business faces unpredictable risks, interruptions, and costly recoveries. Therefore, understanding and combating these exploits is essential to safeguard your operations from devastating cyber attacks.

Fix & Mitigation

Quick action is critical when dealing with Makop ransomware exploits targeting RDP systems, especially since attackers utilize AV killers and other methods to evade detection. Rapid remediation minimizes damage, prevents spread, and restores security.

Mitigation Measures:

  • Patch Management: Ensure all systems are updated with the latest security patches, especially for RDP services and related vulnerabilities.

  • Access Controls: Implement strong, multi-factor authentication and restrict RDP access to only necessary users and IP addresses.

  • Network Segmentation: Isolate RDP servers from other network segments to contain potential breaches.

  • Threat Detection: Deploy and configure Intrusion Detection Systems (IDS) and Antivirus solutions to identify malicious activities.

Remediation Steps:

  • Incident Response: Activate your incident response plan immediately to contain and investigate the breach.

  • System Isolation: Disconnect infected or compromised systems from the network to prevent further spread.

  • Malware Removal: Use reputable antivirus and anti-malware tools to cleanse infected systems.

  • Restoration and Recovery: Restore affected systems from secure backups and verify their integrity before bringing them back online.

  • Post-incident Analysis: Conduct a thorough review to identify the root cause and update security controls accordingly.

Stay Ahead in Cybersecurity

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.