VERY IMPORTANT

Makop, a ransomware strain derived from Phobos, is targeting Indian businesses through exposed RDP systems. The attackers employ a diverse toolkit including network scanners, privilege escalation exploits, and AV killers. They have integrated GuLoader, a downloader trojan, to deliver secondary payloads and bypass security measures. The attack chain typically involves RDP exploitation, followed by network scanning, lateral movement, and privilege escalation before encryption. The majority of attacks (55%) target organizations in India. Makop operators use off-the-shelf tools and multiple local privilege escalation vulnerabilities to maximize their impact. The inclusion of a tailored Quick Heal AV uninstaller indicates adaptation to specific regional targets.