Makop ransomware, a variant of the Phobos malware family, continues to pose a significant threat to businesses globally, with recent analyses highlighting a sophisticated approach that combines brute-force RDP attacks with advanced privilege escalation and security bypass techniques. The majority of observed attacks, around 55%, specifically target organizations in India, though other regions like Brazil and Germany have also reported compromises. This evolving threat landscape necessitates a deeper understanding of Makop’s modus operandi to effectively bolster defenses.
Attackers utilizing Makop ransomware are employing a strategy of low complexity and high impact, leveraging readily available tools and publicly disclosed vulnerabilities to maximize their success rates while minimizing the risk of detection. This methodical approach allows them to gain initial access, move laterally within a network, and ultimately deploy their encryption payloads, causing significant disruption to business operations.
The typical attack chain for Makop ransomware begins with targeting the Remote Desktop Protocol (RDP). Threat actors gain initial access by employing brute-force tools, such as NLBrute, to crack weak or reused RDP credentials on exposed systems. Once inside a compromised network, attackers deploy a comprehensive toolkit that includes network scanners, privilege escalation exploits, antivirus removal tools, and credential-dumping utilities. This allows them to identify valuable targets and gather crucial information before deploying their ransomware.
Recent advancements in Makop’s capabilities include the integration of GuLoader malware, which serves as a delivery mechanism for secondary payloads. This evolution underscores the dynamic nature of the cyber threat landscape and the continuous innovation by ransomware groups. Attackers utilize deceptive file naming conventions and execute malicious files from non-standard directories to evade detection. Executables are often named to mimic legitimate Windows processes, such as taskmgr.exe or mc_osn.exe, further complicating detection efforts by security solutions.
Tools utilized in Makop attacks are frequently placed in network-mounted RDP shares, music directories, or desktop folders. This placement aims to blend in with normal user activity and reduce the visibility of malicious operations to security monitoring systems. The attack flow consistently prioritizes network discovery and lateral movement before attempting to disable security software, indicating a well-planned and executed strategy.
Privilege Escalation and Driver Exploitation: The Backbone of Makop’s Success
The effectiveness of Makop ransomware is significantly attributed to its extensive collection of local privilege escalation (LPE) exploits. These exploits allow attackers to transition from user-level access to high-level system privileges, granting them greater control over compromised systems. The ransomware group maintains a diverse set of LPE primitives in its toolkit, ensuring that even if one exploit is patched, alternative options remain available.
Frequently exploited vulnerabilities include CVE-2017-0213, CVE-2018-8639, CVE-2021-41379, and CVE-2016-0099, all providing reliable pathways to gain system-level access. These vulnerabilities target critical Windows components, including kernel subsystems, driver interfaces, and system utilities, making them particularly potent for ransomware deployment.
| CVE ID | Component | CVSS Score | Severity | Type | Impact |
|---|---|---|---|---|---|
| CVE-2016-0099 | Windows Elevation of Privilege | 7.8 | High | Local Privilege Escalation | Windows kernel vulnerability enabling privilege escalation |
| CVE-2017-0213 | Windows Update Medic Service | 7.8 | High | Local Privilege Escalation | Device driver vulnerability exploited for system access |
| CVE-2018-8639 | Win32k Subsystem | 7.8 | High | Local Privilege Escalation | Windows kernel elevation leading to system privileges |
| CVE-2019-1388 | Windows Service Control Manager | 7.0 | High | Local Privilege Escalation | Allows attackers to elevate privileges through Windows elevation dialog |
| CVE-2020-0787 | Windows Update Medic Service | 7.8 | High | Local Privilege Escalation | BITS service elevation vulnerability |
| CVE-2020-0796 | SMB Protocol | 10.0 | Critical | Remote Code Execution / Privilege Escalation | SMB protocol vulnerability enabling remote exploitation |
| CVE-2020-1066 | Windows Installer Service | 7.8 | High | Local Privilege Escalation | Windows installer elevation of privilege vulnerability |
| CVE-2021-41379 | Windows Desktop Window Manager | 7.8 | High | Local Privilege Escalation | Windows Desktop Window Manager elevation vulnerability |
| CVE-2022-24521 | Windows Win32k Subsystem | 7.8 | High | Local Privilege Escalation | Win32k kernel elevation leading to system access |
| CVE-2025-7771 | ThrottleStop Driver | 8.4 | High | Privilege Escalation via Driver | Legitimate driver vulnerable to memory access exploitation for EDR/AV bypass |
The presence of exploits targeting vulnerabilities spanning multiple years highlights a persistent issue: the failure of some organizations to promptly apply security updates. This leaves them susceptible to widely known, yet unpatched, security flaws.
A particularly distinguishing feature of Makop’s approach is the integration of Bring Your Own Vulnerable Driver (BYOVD) techniques. Attackers utilize legitimate, signed drivers that contain vulnerabilities, such as ThrottleStop.sys (CVE-2025-7771) and hlpdrv.sys. By exploiting these drivers, attackers can manipulate memory access and disable endpoint detection and response (EDR) and antivirus solutions, bypassing crucial security layers. This sophisticated tactic demonstrates a deep understanding of Windows security architecture and highlights the challenges defenders face when legitimate tools are weaponized.
The continuous evolution of Makop ransomware, particularly its advanced evasion and privilege escalation tactics, indicates that threat actors are increasingly sophisticated and adaptable. Organizations worldwide, especially those in India, must remain vigilant and prioritize robust cybersecurity measures, including regular patching, strong RDP security practices, and comprehensive endpoint protection, to mitigate the risk of falling victim to these evolving threats.