Makop Ransomware Disection
Share this:
This article will detail out all about the Makop ransomware gang
Makop ransomware is a tier-B ransomware actor that has been in operation since 2020. The threat actor has been successfully targeting companies in Europe and Italy with its hybrid arsenal of custom-developed and off-the-shelf software tools.
Makop ransomware has been found to be using a set of custom-developed tools to carry out their attacks.
It uses a tool called ARestore that was built in 2020 and partially obfuscated. This tool generates comb lists of local Windows usernames and potential passwords and tests them locally. This is used after the initial access phase of their attack chain.
The operators leverage other custom .NET assemblies, such as PuffedUp, to achieve further stages of the kill chain. This tool is designed to ensure persistence after the initial access.
The tool relies on a textual configuration file placed in the same folder, containing one or more 42-character strings that will be placed into the user clipboard.
The ransomware gang is also using off-the-shelf open-source and freeware tools to conduct lateral movement and system discovery.
Makop ransomware abuses Microsoft SysInternal tools such as PsExec, Putty, Mimikatz, Advanced Port Scanner, Windows Everything tool, YDArk tool.
The Makop ransomware gang has an arsenal of both custom-developed and off-the-shelf software tools at its disposal. The use of these tools is a clear indication of the evolving techniques that cybercriminals use to conduct digital extortions.
Organizations must take proactive measures to defend themselves against Makop ransomware-like attacks by keeping software up-to-date and conducting regular security audits.
Indicator of Compromise
- 7f86b67ac003eda9d2929c9317025013 arestore.exe
- e245f8d129e8eadb00e165c569a14b71 data.exe
- 6A58B52B184715583CDA792B56A0A1ED Advanced_Port_Scanner_2.5.3869.exe
- b69d036d1dcfc5c0657f3a1748608148 Everything.exe
- 9fd28d2318f66e4fe37a9a5bc1637928 YDArk.exe
