Makop ransomware, a strain of the Phobos malware family first spotted in 2020, continues to evolve into a significant threat to businesses worldwide.
Recent analysis reveals that attackers are combining brute-force RDP attacks with sophisticated privilege escalation techniques and security bypass tools to compromise organizations.
The majority of attacks, representing 55 percent of all incidents, specifically target companies in India, though Brazil, Germany, and other regions have also reported compromises.
The attackers prefer low-complexity, high-impact methods, leveraging off-the-shelf tools and publicly disclosed vulnerabilities to maximize their chances of success while minimizing detection risk.
The typical Makop attack follows a structured progression beginning with Remote Desktop Protocol exploitation. Operators gain initial access by using brute-force tools such as NLBrute to crack weak or reused RDP credentials on exposed systems.
Once inside the network, attackers deploy a toolkit that includes network scanners, privilege-escalation exploits, antivirus-removal tools, and credential-dumping utilities.
This methodical approach allows them to move laterally through the network, extract sensitive information, and ultimately deploy encryption payloads.
If security solutions detect their activities during this process, attackers may attempt advanced evasion techniques or abandon the target entirely if they cannot bypass defenses.
Acronis security analysts identified that Makop operators have added new capabilities to their traditional attack arsenal, including GuLoader malware for delivering secondary payloads.
This evolution demonstrates how the threat landscape continues to shift, with ransomware groups integrating more sophisticated delivery mechanisms and polyglot techniques.
The malware uses deceptive file naming and execution from non-standard directories to evade detection. Executables are commonly named using patterns such as taskmgr.exe, bug_hand.exe, and mc_osn.exe, which can be confused with legitimate Windows processes.
.webp "Makop Ransomware Exploits RDP Systems with AV Killer and Other Exploits 3")
Tools are often dropped in network-mounted RDP shares, music directories, and desktop folders to blend in with regular user activity and reduce visibility to security monitoring solutions.
The attack flow reveals attackers prioritizing discovery and lateral movement before attempting to disable security software.
They employ tools such as NetScan, Advanced IP Scanner, and Masscan to enumerate network infrastructure and identify high-value targets.
For privilege escalation, they exploit a wide array of Windows vulnerabilities, ranging from older CVEs with stable exploits to recently patched ones.
Makop operators also leverage legitimate vulnerable drivers via Bring Your Own Vulnerable Driver (BYOVD) techniques, such as hlpdrv.sys and ThrottleStop.sys, to gain kernel-level access and terminate endpoint detection and response solutions.
Additionally, they deploy specialized uninstallers targeting Quick Heal Antivirus, a security product popular in India, showing regional adaptation of their tactics.
Privilege Escalation and Driver Exploitation: The Backbone of Makop’s Success
Makop’s effectiveness largely stems from its comprehensive collection of local privilege-escalation exploits that enable attackers to transition from user-level access to system-level privileges.
.webp "Makop Ransomware Exploits RDP Systems with AV Killer and Other Exploits 4")
The ransomware group maintains multiple LPE primitives in its toolkit, ensuring that if one exploit fails or gets patched, alternative options remain available.
The most frequently exploited vulnerabilities include CVE-2017-0213, CVE-2018-8639, CVE-2021-41379, and CVE-2016-0099, all of which provide reliable pathways to system-level access.
Makop Ransomware Vulnerability Exploitation Table:-
| CVE ID | Component | CVSS Score | Severity | Type | Impact |
|---|---|---|---|---|---|
| CVE-2016-0099 | Windows Elevation of Privilege | 7.8 | High | Local Privilege Escalation | Windows kernel vulnerability enabling privilege escalation |
| CVE-2017-0213 | Windows Update Medic Service | 7.8 | High | Local Privilege Escalation | Device driver vulnerability exploited for system access |
| CVE-2018-8639 | Win32k Subsystem | 7.8 | High | Local Privilege Escalation | Windows kernel elevation leading to system privileges |
| CVE-2019-1388 | Windows Service Control Manager | 7.0 | High | Local Privilege Escalation | Allows attackers to elevate privileges through Windows elevation dialog |
| CVE-2020-0787 | Windows Update Medic Service | 7.8 | High | Local Privilege Escalation | BITS service elevation vulnerability |
| CVE-2020-0796 | SMB Protocol | 10.0 | Critical | Remote Code Execution / Privilege Escalation | SMB protocol vulnerability enabling remote exploitation |
| CVE-2020-1066 | Windows Installer Service | 7.8 | High | Local Privilege Escalation | Windows installer elevation of privilege vulnerability |
| CVE-2021-41379 | Windows Desktop Window Manager | 7.8 | High | Local Privilege Escalation | Windows Desktop Window Manager elevation vulnerability |
| CVE-2022-24521 | Windows Win32k Subsystem | 7.8 | High | Local Privilege Escalation | Win32k kernel elevation leading to system access |
| CVE-2025-7771 | ThrottleStop Driver | 8.4 | High | Privilege Escalation via Driver | Legitimate driver vulnerable to memory access exploitation for EDR/AV bypass |
These vulnerabilities target core Windows components, including kernel subsystems, driver interfaces, Windows Installer services, and system utilities, making them particularly effective for ransomware.
The presence of exploits spanning multiple years demonstrates that even older vulnerabilities remain valuable when systems remain unpatched or when organizations fail to apply security updates promptly.
What distinguishes Makop’s approach is the integration of BYOVD techniques using legitimate signed drivers.
ThrottleStop.sys, a genuine driver developed by TechPowerUp for monitoring CPU throttling, contains a vulnerability (CVE-2025-7771) that attackers exploit to manipulate memory access and disable security tools.
.webp "Makop Ransomware Exploits RDP Systems with AV Killer and Other Exploits 5")
Similarly, hlpdrv.sys has been used in previous ransomware campaigns by groups such as MedusaLocker and Akira.
By leveraging drivers signed by legitimate vendors, attackers bypass driver signature verification, enabling them to execute kernel-level code without triggering security alerts.
This technique reflects a sophisticated understanding of Windows security architecture. It demonstrates how defenders face challenges when legitimate administrative tools become weaponized by threat actors seeking to maintain persistence and evade detection.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
