Dissection Of Makop Ransomware Group
This blog post outlines attack patterns identified across Makop ransomware incidents and explores the ransomware executable used by Makop affiliates.
Stroz Friedberg has investigated multiple incidents involving Makop ransomware within the past few months. This type of ransomware is an offshoot of the established Phobos ransomware which has been around for several years and operates under an affiliate structure. The following blog post outlines attack patterns identified across Makop ransomware incidents and explores the ransomware executable used by Makop affiliates.
History of Makop
Makop ransomware was originally advertised on a dark web forum in January 2020 by an individual using the handle ‘Makop’. This actor announced the launch of Makop’s Ransomware-as-a-Service (“RaaS”) program and expressed the need for affiliates across popular hacking forums such as Exploit, XSS, Blackhacker, WWH-Club, Dublikat, Migalki, Tenec, and Rutor. Notable features advertised by Makop to affiliates include:
- Affiliates may choose the filename extension of encrypted files. (i.e., “.makop”, “.mkp”, or others)
- The ransomware creates a unique ID for each encrypted system in a corporate network.
- Affiliates may choose a custom ransom amount.
Recently, Stroz Friedberg has not observed any activities by the individual ‘Makop’ or instances of Makop services being advertised within dark net forums. Without an identified leak site for the group, it is difficult to determine the breadth of activity attributed to the group or an accurate estimate of the impact on its victim organizations.
Initial Access
In Stroz Friedberg’s investigations, Makop affiliates primarily used internet-exposed systems with external Remote Desktop Protocol (“RDP”) enabled to gain initial access to victim organizations. The threat actor leveraged usernames from the RDP login page to perform password brute force attacks against RDP services.
Land and Expand
Once on the network, Makop affiliates use the following mixture of custom and off-the-shelf tools to conduct their operations:
- PowerShell: download and execute a batch script on the impacted system
- NS.exe: scan the network and search for shared folders
- Everything.exe: search filenames or create file listing
- Mouselock.exe: block mouse inputs
- NLBrute.exe: brute-force RDP
- Batch scripts: disable and delete Volume Shadow Copies
- RDP: move laterally through the environment
Data Exfiltration
Stroz Friedberg has not observed Makop affiliates exfiltrating victim data and, as of January 2024, the group does not appear to operate a leak site. The group’s ransom note provides an email address for communication and threatens victims regarding loss of data if they choose to forgo negotiations for the decryption key.
Encryption
Stroz Friedberg identified multiple executables of Makop ransomware. One of these samples was an encryptor executable with a built-in GUI that Stroz Friedberg identified on VirusTotal. This sample decrypts strings during runtime to make static analysis difficult. That includes library names, API names, strings used to perform operations during execution, and strings that make up the ransomware note.
Example of Makop Ransomware GUI
Using the GUI, the threat actor can select a specific folder or entire system to encrypt. The encryptor generates an 8-character, system-specific identification number and appends it to the filename. This ID is derived from Windows Product ID and Volume Serial Number. The following options are available with the GUI:
- Quick: Expedites the encryption process by encrypting only the first 40K bytes of the target file.
- Net: Targets network shares for encryption.
- Delete: Deletes the encryptor executable from the execution directory, if selected.
The sample contains a hard-coded private key, 28 8A 2C FE 3F 75 C4 47 A5 21 C4 5C 33 39 E2 64 2B 34 0F 08 D2 37 2A 97 0D 83 A4 D8 B8 01 92 2E, used to decrypt the malware’s strings at runtime. These strings contain the URL, process names, commands, and strings displayed on the GUI.
After initializing keys, malware reads the target file and uses the ‘CryptEncrypt’ API to encrypt the file using the AES256 algorithm.
Upon successful encryption of the file, the encryptor renames the file in the following format:
File_Name.Extension.[8-Character_ID].[Email_Address].mkp
The Makop sample examined by Stroz Friedberg terminates specific process names, including but not limited to:
- armsvc.exe
- IntelCpHDCPSvc.exe
- IPROSetMonitor.exe
- msftesql.exe
- OfficeClickToRun.exe
- postgres.exe
- sqlbrowser.exe
- vds.exe
Additionally, the encryptor sample excludes following file extensions, paths, and specific files during encryption process:
- *.dll
- *.exe
- *.mkp
- +README-WARNING+.txt
- boot.ini
- bootfont.bin
- desktop.ini
- io.sys
- ntdetect.com
- ntldr
- *\regedit.exe
- *System32*
- *Users\Public*
- *windows*
- *Winnt*
The encryptor decrypts the ransom note and filename during runtime and drops +README-WARNING+.txt ransom note file in the impacted directories. The ransom note created by this sample contains instructions for contacting the threat actors via two email addresses: datastore@cyberfear[.]com and back2up@swismail[.]com.
Example of Makop Ransomware Note.
It is a common ransomware functionality to delete Volume Shadow Copies to make data recovery difficult. The sample uses following commands to delete Volume Shadow Copies:
- vssadmin delete shadows /all /quiet
- wbadmin delete catalog -quiet
- wmic shadowcopy delete
- exit/
After encryption is complete, the malware sample sends a request to https://iplogger[.]com/1FcbD4. IPLogger is an IP address location tracking service. The threat actor can create a tracker URL and when the malware sample connects to the URL, IPLogger tracks and logs the location of the infected device. At the time of analysis, the identified tracker URL was blacklisted by IPLogger
Wallpaper bitmap used by Makop ransomware.
The malware creates a bitmap image shown above and saves it as C:\Users\{username}\AppData\Local\temp\[A-Z0-7]{4}.bmp. This bitmap image is set to the system’s wallpaper, completing the malware execution.
Links to other ransomware families
Makop shares several similarities with other offshoots of Phobos ransomware and is commonly misdetected as “Phobos” by anti-virus solutions. Stroz Friedberg has identified other encryptors for strains such as Faust ransomware, another offshoot of Phobos, using a similar naming convention for encrypted files:
File_Name.Extension.[8-Character_ID].[Email_Address].Ransomware_Extension
IOCs
The following indicators were identified in Stroz Friedberg’s analysis of Makop ransomware matters:
