Executive Summary

A new campaign by the Makop ransomware group, a variant of the Phobos family, has been observed deploying an updated toolset to target organizations, with a primary focus on India. According to the Acronis Threat Research Unit, the attackers' primary initial access vector remains brute-force attacks against exposed Remote Desktop Protocol (RDP) services. Post-compromise, the threat actors are now using the notorious GuLoader downloader to deliver information-stealing malware such as AgentTesla and FormBook. A key evolution in this campaign is the use of specific exploits for privilege escalation, including one targeting CVE-2025-7771 in a third-party driver, to disable security solutions before the final Makop payload is executed.

Threat Overview

The Makop ransomware operators are following a common ransomware-as-a-service (RaaS) playbook but have refined their TTPs to improve their success rate.

Attack Chain

1. Initial Access: Attackers scan the internet for and brute-force credentials on exposed RDP services (TCP/3389).
2. Reconnaissance: Once on a system, they use legitimate network scanning tools like NetScan and Advanced IP Scanner to map the internal network and identify valuable targets.
3. Secondary Payload Deployment: The attackers use GuLoader to download and execute additional malware. GuLoader is known for its anti-analysis and shellcode-based delivery techniques. The secondary payloads are often infostealers like AgentTesla and FormBook to steal credentials and other sensitive data before encryption.
4. Privilege Escalation: To disable security software, the attackers exploit local privilege escalation (LPE) vulnerabilities. They have been seen using an exploit for CVE-2025-7771 in the ThrottleStop driver and another vulnerable driver, hlpdrv.sys, to gain kernel-level privileges.
5. Defense Evasion: With elevated privileges, the attackers terminate EDR and antivirus processes. They also deploy custom uninstallers for specific products like Quick Heal AV.
6. Credential Access: Mimikatz is used to dump credentials from memory, enabling lateral movement.
7. Impact: The Makop ransomware is executed to encrypt files across the compromised network.

Technical Analysis

The most notable aspect of this campaign is the use of vulnerable drivers to achieve kernel-level privilege escalation. This 'Bring Your Own Vulnerable Driver' (BYOVD) technique is highly effective for bypassing security controls.

• CVE-2025-7771: This vulnerability in the ThrottleStop.sys driver allows a local attacker to execute arbitrary code with kernel privileges, effectively giving them complete control over the operating system and allowing them to disable security agents.
• GuLoader: This downloader is known for its multi-stage, heavily obfuscated delivery mechanism, making it difficult for static analysis tools to detect.

MITRE ATT&CK TTPs

• Initial Access:
  • T1110.001 - Brute Force: Password Guessing: Used against exposed RDP services.
• Execution:
  • T1059.001 - Command and Scripting Interpreter: PowerShell: GuLoader often uses PowerShell to execute its shellcode.
• Privilege Escalation:
  • T1068 - Exploitation for Privilege Escalation: Exploiting CVE-2025-7771 to gain kernel access.
• Defense Evasion:
  • T1562.001 - Impair Defenses: Disable or Modify Tools: Using kernel-level access to terminate EDR/AV processes.
  • T1574.006 - Hijack Execution Flow: Dynamic-Link Library Injection: GuLoader uses process hollowing or injection to run its payload.
  • T1218.011 - System Binary Proxy Execution: Rundll32: Often used to run malicious DLLs.
• Credential Access:
  • T1003 - OS Credential Dumping: Use of Mimikatz.
• Impact:
  • T1486 - Data Encrypted for Impact: The final ransomware payload encrypts files.

Impact Assessment

For affected organizations, the impact is severe, consistent with other double-extortion ransomware attacks. This includes:

• Operational Disruption: Encryption of critical files and systems leads to a complete halt in business operations.
• Data Breach: The use of infostealers like AgentTesla and FormBook means that even if the ransom is not paid, sensitive corporate and customer data may have already been stolen and could be leaked or sold.
• Financial Loss: Costs include ransom payments, recovery efforts, regulatory fines, and lost revenue.

Detection & Response

1. RDP Monitoring: Aggressively monitor RDP logs for failed login attempts from external IP addresses. Alert on a high volume of failures from a single IP. Better yet, do not expose RDP to the internet.
2. Driver-Based Attacks: Monitor for the loading of known vulnerable drivers like ThrottleStop.sys or hlpdrv.sys. EDR solutions with specific rules for BYOVD attacks can be effective here.
3. Behavioral Detections: Monitor for processes like powershell.exe making outbound connections to download content, or for the execution of tools like NetScan and Advanced IP Scanner from unusual user accounts.
4. Credential Dumping: Use EDR and SIEM rules to detect signs of Mimikatz usage, such as direct access to the LSASS process memory.

Mitigation

1. Secure RDP: Do not expose RDP to the public internet. If remote access is required, place it behind a VPN with multi-factor authentication (MFA).
2. Patch Management: While the primary LPE exploit targets a third-party driver, maintaining up-to-date patches for the operating system and all applications is crucial.
3. Driver Blocklisting: Use Windows Defender Application Control (WDAC) or similar technologies to create policies that block known vulnerable drivers from being loaded.
4. Principle of Least Privilege: Ensure that user accounts do not have local administrator privileges unless absolutely necessary. This can prevent the initial execution of some LPE exploits.