Makop Ransomware

    Tuesday, December 24, 2024 In: Threat Research Print

    Date: 12/24/2024

    Severity: High

    Summary

    Makop ransomware, an offshoot of the PHOBOS variant, actively targets organizations, including critical sectors, by encrypting files and demanding ransom payments in bitcoin. It exploits various attack vectors, such as unsecured RDP services, phishing emails, malicious attachments, and torrent websites. The ransomware uses tools like PowerShell, Mimikatz, and PsExec for lateral movement and network scanning. It employs AES-256 encryption and appends “.makop” or “.mkp” to encrypted files. Makop operates under an affiliate model and is known for disabling volume shadow copies to prevent file recovery.

    Indicators of Compromise (IOC) List

    Hash

    2881a2a79b9dde2a036648df3f04996cac0401505af3d67156ceb1a4d9011b7c

f43b86ff363f19f26cc7d80aa64fa0894a264a736ae0abd013d98e344637e4d8

08c9f2ba64a192c0c75fcac51019ee996bf1a617eb66cf04acaa9b8e4a3ea36e

d66bfeb539f4b6f81d0610a128d8a7ebbf559b37df226c5c8b3e04d64c37be0d

4aace7fd7ba4c0eb24454f9bbf161499363ff34fc5c2eb81b982a25cfc0fdd27

c5c28f06fc605a7b68c52713f035f7546a15f0ca19761f96903a55021d62c733

dee9199b48489b9077ea11a57303eda7bd33f5d7bca45415a979bca027e246fd

aa0073548e845d1119186ba77368adfd81dbe0d056ec1f258e83a7dd368972da

3664ff8050ccf9e6d73e197f43e23422dcc5bd738c4c5d90808370bc6dba7868

5566123b7485a9e1e25f06bc695d07ba485866d9cbb9a13460676e980d2dd72a

585829269d87b4b63c3cc4c6d855c0077190c2ae888e1e52aad013e2f1eb652a

50901c4dce9b5674b68da3503240b62561af7d99d21ff30c8ec2f4977feb4485

d453c980cc00eab746f80c8bae57728c1d5bab12970605a7644674ca63f26e0f

e48904c3a631f353f6bf1cd3c2509464c86454db1d29bff26b489ffa563788d9

62f796350dae2c66d9505c47f29569410d520d1cf17e33ef2be5d0a2358fb094

72bbcfca7e495c8a32ee6a88234e55378a535761fd4eb97b50c69bc1dbb3478b

7d4b154e90a8472545d84d7d1ec49888269872c9a8adf3a0411317c8f926f1f5

f43b86ff363f19f26cc7d80aa64fa0894a264a736ae0abd013d98e344637e4d8

bff786ac2f9f89305650d5776dbf1ada6ab229ab87be2c335aedaaf7c438185e

e245f8d129e8eadb00e165c569a14b71

6A58B52B184715583CDA792B56A0A1ED

b69d036d1dcfc5c0657f3a1748608148

    Email IDs

    datastore@cyberfear.com

    back2up@swismail.com

    File Names

    mc_hand.exe

    Everything.exe

    Mouselock.exe

    NLBrute.exe

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    sha256hash IN ("5566123b7485a9e1e25f06bc695d07ba485866d9cbb9a13460676e980d2dd72a","aa0073548e845d1119186ba77368adfd81dbe0d056ec1f258e83a7dd368972da","bff786ac2f9f89305650d5776dbf1ada6ab229ab87be2c335aedaaf7c438185e","2881a2a79b9dde2a036648df3f04996cac0401505af3d67156ceb1a4d9011b7c","08c9f2ba64a192c0c75fcac51019ee996bf1a617eb66cf04acaa9b8e4a3ea36e","585829269d87b4b63c3cc4c6d855c0077190c2ae888e1e52aad013e2f1eb652a","3664ff8050ccf9e6d73e197f43e23422dcc5bd738c4c5d90808370bc6dba7868","d66bfeb539f4b6f81d0610a128d8a7ebbf559b37df226c5c8b3e04d64c37be0d","f43b86ff363f19f26cc7d80aa64fa0894a264a736ae0abd013d98e344637e4d8","72bbcfca7e495c8a32ee6a88234e55378a535761fd4eb97b50c69bc1dbb3478b","4aace7fd7ba4c0eb24454f9bbf161499363ff34fc5c2eb81b982a25cfc0fdd27","e48904c3a631f353f6bf1cd3c2509464c86454db1d29bff26b489ffa563788d9","62f796350dae2c66d9505c47f29569410d520d1cf17e33ef2be5d0a2358fb094","c5c28f06fc605a7b68c52713f035f7546a15f0ca19761f96903a55021d62c733","dee9199b48489b9077ea11a57303eda7bd33f5d7bca45415a979bca027e246fd","50901c4dce9b5674b68da3503240b62561af7d99d21ff30c8ec2f4977feb4485","d453c980cc00eab746f80c8bae57728c1d5bab12970605a7644674ca63f26e0f","7d4b154e90a8472545d84d7d1ec49888269872c9a8adf3a0411317c8f926f1f5","f43b86ff363f19f26cc7d80aa64fa0894a264a736ae0abd013d98e344637e4d8")

    Detection Query 2

    md5hash IN ("e245f8d129e8eadb00e165c569a14b71","6A58B52B184715583CDA792B56A0A1ED","b69d036d1dcfc5c0657f3a1748608148")

    Detection Query 3

    from IN ("datastore@cyberfear.com","back2up@swismail.com") AND to IN ("datastore@cyberfear.com","back2up@swismail.com")

    Detection Query 4

    resourcename in ("Windows Security" ) AND eventtype = "4663" AND objectname IN ("mc_hand.exe","Everything.exe","Mouselock.exe","NLBrute.exe")

    Detection Query 5

    technologygroup = "EDR" AND objectname IN ("mc_hand.exe","Everything.exe","Mouselock.exe","NLBrute.exe")

    Reference: 

    https://www.csk.gov.in/alerts/Makop_Ransomware.html   


    Tags

    CSK - IndiaRansomwarePhishingMalwareCritical InfrastructureCritical Manufacturing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.