A recent cybersecurity study has uncovered a disturbing trend, placing India squarely in the crosshairs of a global ransomware threat. According to research by Acronis, 55% of the victims targeted by the Makop ransomware group are based in India, making it the country most severely affected by this malware worldwide.
New Attack Methods and Regional Targeting
The report highlights a significant shift in how the Makop ransomware operates. For the first time, security researchers have observed the malware being distributed using Guloader, a type of loader typically associated with information-stealing viruses. This new method complicates detection, making it harder for traditional security tools to trace ransomware activities before it's too late.
Analysts point out that this intense focus on India suggests cybercriminals are deliberately targeting regions where they perceive security practices to be weaker, often involving outdated antivirus software. In a particularly aggressive move, the attackers have developed specialized uninstaller tools to remove popular local security products like Quick Heal.
Exploiting Basic Security Gaps
Makop, first seen around 2020 and linked to the Phobos ransomware family, primarily gains entry through poorly secured Remote Desktop Protocol (RDP) connections. Attackers use tools to crack weak passwords on these publicly accessible services. Once inside a network, they follow a familiar playbook: scanning the system, stealing login credentials with tools like Mimikatz, disabling security software, and finally encrypting files for ransom.
The study warns that attackers are increasingly leveraging a mix of old Windows vulnerabilities, weak passwords, and exposed remote access services to succeed. They also use legitimate utilities, such as Process Hacker, and vulnerable drivers to bypass security defenses, showing a rise in sophistication even among lower-complexity threat actors.
Essential Steps for Protection
Acronis recommends several critical actions for businesses to defend against such evolving threats. The cornerstone of defense is implementing Multi-Factor Authentication (MFA) for all remote access. Other vital steps include applying software patches frequently, restricting public RDP access, and deploying robust endpoint security capable of detecting threats like Guloader.
Enhancing password policies and conducting regular security audits are also emphasized as key practices to minimize risks. Ilia Dafchev, a senior security researcher at Acronis, stated, "The regional targeting pattern... is particularly alarming. These results demonstrate a straightforward reality: businesses with inadequate security measures or exposed RDP services remain highly vulnerable. Improving fundamental cyber hygiene is now essential."
The findings serve as a stark reminder that foundational cybersecurity measures are not optional. As ransomware gangs refine their methods, organizations must prioritize basic protections to avoid becoming the next statistic in this alarming campaign.
