Rewterz Threat Alert -MAKOP Ransomware – Active IOCs

Severity

High

Analysis Summary

MAKOP ransomware was first observed in 2020 and it is said that this ransomware belongs to Phobos ransomware as its techniques are quite similar to this type of ransomware. The decryption of the files encrypted by this ransomware is not possible. According to the reports, this ransomware targets companies in Europe and Italy. It encrypts each and every file in any folder excluding some file containing in their name or files with extension .exe and .dll and leaves the file with a .makop extension, the format of file name is left as “Original_file_name.Original_file_extension.[Unique/random Id associated with the File].[.].makop”. Moreover, like other ransomware it also leaves a note which contains the ransom amount and also contains the TOR link through which we can communicate with the group.

The encryption method used by this ransomware AES256 algorithm, it imports an AES256 key to decrypt several strings, including an RSA public key. It creates a mutex to ensure only one instance is running at a time and spawns a new process to encrypt network shares. It extracts the Windows Product ID to generate a personal ID that appears in the ransom note. It deletes all volume shadow copies and kills specific processes that could lock targeted file types. The ransomware generates two new AES256 keys and an initialization vector to encrypt the files, which are encrypted using the RSA public key. It requires the RSA private key to decrypt the files.

Impact

• File Encryption 
• Data Exfiltration

Indicators of Compromise

MD5

• bd935610cb878e275d35f292b93d8459
• abb04a0418be9cc4618f393d7fc9d76b

SHA-256

• 3757824893405fd34313749b689879b40b02db3d8a682f9f88e23f63908881f7
• 56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659

SHA-1

• 2cfc4a68ece6c9465ba44f96b677cc00536908ad
• dbe3b07ab1383e4d693bb6cab17ad8a7c1c5cd7b

Remediation

• Block all threat indicators at your respective controls. 
• Search for IOCs in your environment.
• Maintain cyber hygiene by updating your anti-virus software and implementing patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.