The Makop ransomware gang is a tier-B ransomware actor that has been in operation since 2020. Despite its low classification, the threat actor has been successfully targeting companies in Europe and Italy with its hybrid arsenal of custom-developed and off-the-shelf software tools. In this article, we take a closer look at some of the technical details of Makop ransomware’s arsenal.
What’s been found?
Makop ransomware gang has been found to be using a set of custom-developed tools to carry out their attacks.
- Among them is a tool called ARestore that was built in 2020 and partially obfuscated.
- This tool generates comb lists of local Windows usernames and potential passwords and tests them locally.
- The crooks use it after the initial access phase of their attack chain.
- In addition, the operators leverage other custom .NET assemblies, such as PuffedUp, to achieve further stages of the kill chain.
- This particular tool is designed to ensure persistence after the initial access.
- The tool relies on a textual configuration file placed in the same folder, containing one or more 42-character strings that will be placed into the user clipboard.
Outsourcing the Attack
The ransomware gang is also using off-the-shelf open-source and freeware tools to conduct lateral movement and system discovery.
- Along with the abuse of Microsoft SysInternal tools such as PsExec and other well-known open-source tools such as Putty and Mimikatz, Makop has abused even more peculiar software.
- For instance, the attackers recently used Advanced Port Scanner and the Windows Everything tool.
- Another unique tool used by the group includes a system administration tool, dubbed YDArk. It is an open-source tool available on GitHub.
The bottom line
The Makop ransomware gang has an arsenal of both custom-developed and off-the-shelf software tools at its disposal. The use of these tools is a clear indication of the evolving techniques that cybercriminals use to conduct digital extortions. Organizations must take proactive measures to defend themselves against Makop ransomware-like attacks by keeping software up-to-date and conducting regular security audits.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/8c0a_shutterstock_1780905617.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1cca_shutterstock_2273947153.jpg)
