Study highlights evolving Makop tactics, including Guloader-based delivery and targeted attacks on Indian security solutions
A new study by Acronis Research has revealed that India accounts for 55% of victims in Makop ransomware operations, making it the most targeted country globally. The report highlights a significant shift in Makop’s tactics, including its first known use of Guloader, a malware loader typically associated with information-stealing tools, now repurposed to deliver ransomware.
Makop, part of the Phobos ransomware family, primarily exploits unsecured Remote Desktop Protocol (RDP) systems using weak passwords. Once inside, attackers follow a systematic approach:
- Network scanning and credential theft using tools like Mimikatz
- Disabling security products and exploiting old Windows vulnerabilities
- Encrypting data after removing local antivirus solutions such as Quick Heal
“Makop is changing in ways that defenses cannot ignore. Its use of Guloader and regional targeting in India underscores the urgent need for stronger cyber hygiene.”
– Ilia Dafchev, Senior Security Researcher, Acronis
The study warns that attackers are increasingly using uninstallers tailored to bypass Indian security software and leveraging legitimate tools like Process Hacker to disable protections. This evolution makes Makop harder to detect and signals a growing sophistication even among low-complexity threat actors.
Ilia Dafchev, Senior Security Researcher at Acronis, commented: “Makop’s adoption of Guloader marks a major change in its distribution strategy. Combined with targeted efforts to remove local security products, this trend shows attackers are adapting quickly. Businesses with exposed RDP services and weak security practices remain highly vulnerable.”
Acronis recommends immediate steps for organizations:
- Enforce Multi-Factor Authentication (MFA) for remote access
- Apply regular patches and limit public RDP exposure
- Deploy advanced endpoint protection capable of detecting loaders like Guloader
- Strengthen password policies and conduct frequent security audits