New 'Gines' Ransomware Emerges, Associated with Makop Ransomware Family

Researchers Detail New 'Gines' Ransomware Variant Linked to Makop Family

MEDIUM
May 29, 2026
5m read
RansomwareMalwareThreat Intelligence

Related Entities

Organizations

CYFIRMA

Products & Tech

Windows

Other

GinesMakop

MITRE ATT&CK Techniques

T1486

Data Encrypted for Impact

T1048

Exfiltration Over Alternative Protocol

T1490

Inhibit System Recovery

T1491.001

Defacement

Full Report

Executive Summary

Cybersecurity researchers at CYFIRMA have identified and analyzed a new ransomware strain named Gines. The malware, discovered during the monitoring of underground forums, is believed to be a new variant in the lineage of the Makop ransomware family. Gines is a file-encrypting malware targeting Windows operating systems. It follows the now-standard double-extortion model, where it first exfiltrates sensitive data from the victim's network before proceeding with encryption. The ransomware appends a .gines extension to encrypted files and leaves a ransom note, +README-WARNING+.txt, with instructions to contact the operators via an Outlook email address. As a new variant, there is no public decryptor available, and organizations are advised against paying the ransom.

Threat Overview

  • Malware Name: Gines Ransomware
  • Affiliation: Believed to be a variant of the Makop ransomware family.
  • Target Platform: Microsoft Windows operating systems, including local file systems and mapped network shares.
  • Modus Operandi: Double Extortion.
    1. Data Exfiltration: The attackers steal sensitive data from the victim's network.
    2. Encryption: The malware encrypts files, making them inaccessible.
  • Leverage: The attackers threaten to leak the stolen data on the dark web if the ransom is not paid.

Technical Analysis

Based on the description, the Gines ransomware follows a typical ransomware execution flow:

  1. Execution: Once executed on a victim's machine, the malware begins its routine. The initial access vector is not specified but for Makop variants often involves RDP compromise or phishing.
  2. Discovery: The malware scans the local machine and any accessible network shares for files to encrypt. It likely targets a wide range of file types, avoiding critical system files to keep the OS running so the victim can read the ransom note.
  3. Data Encryption: Gines uses a cryptographic algorithm to encrypt the discovered files. This is the core impact of the attack, corresponding to T1486 - Data Encrypted for Impact.
  4. Artifacts: During its process, it creates several artifacts:
    • File Extension: Appends .gines to encrypted files, along with a victim ID and email address.
    • Ransom Note: Drops a text file named +README-WARNING+.txt in directories. This is a form of T1491.001 - Defacement.
    • Wallpaper: May modify the desktop wallpaper to display a warning message.
  5. Command and Control: The ransom note provides an Outlook email address (ginesomna@outlook.com) for the victim to initiate contact. This use of a public email service for C2 is a simple but common tactic for some ransomware groups, mapping to T1567.002 - Exfiltration to Cloud Storage for the initial contact.

Impact Assessment

As with any ransomware attack, the impact can be devastating:

  • Operational Disruption: Encryption of critical files can bring business operations to a complete standstill.
  • Data Breach: The exfiltration of data constitutes a data breach, which carries legal and regulatory obligations for notification, as well as reputational damage if the data is leaked.
  • Financial Loss: This includes the cost of the ransom (if paid), recovery efforts, and lost business during downtime.

IOCs — Directly from Articles

Type
file_name
Value
+README-WARNING+.txt
Description
The name of the ransom note dropped by the malware.
Type
file_name
Value
*.gines
Description
The file extension pattern appended to encrypted files.
Type
email_address
Value
ginesomna@outlook.com
Description
The contact email address provided in the ransom note.

Cyber Observables — Hunting Hints

Security teams can hunt for signs of Gines or other Makop-family ransomware:

Type
file_name
Value
+README-WARNING+.txt
Description
Use EDR or file integrity monitoring to search for the creation of files with this specific name.
Type
command_line_pattern
Value
wmic shadowcopy delete
Description
Search for command-line execution of commands to delete Volume Shadow Copies, a common precursor to encryption.
Type
process_name
Value
[random].exe
Description
Monitor for the execution of unsigned or newly created executables in user profile directories like AppData\Local\Temp.

Detection & Response

  • Detection:
    • Behavioral Analysis: The most effective way to detect a new ransomware variant is through behavioral analysis. EDR and antivirus solutions should be configured to detect and block behaviors like rapid file encryption, deletion of backups, and modification of large numbers of files.
    • Honeypots/Canary Files: Place canary files on file shares. These are fake but enticingly named files (e.g., passwords.xlsx). Configure high-priority alerts to trigger if these files are ever accessed or modified, as this can be an early sign of a ransomware process scanning the network.

Mitigation

Standard ransomware mitigation strategies apply:

  • Backups: Maintain offline, immutable, and regularly tested backups. This is the most critical defense, allowing for recovery without paying the ransom (M1053 - Data Backup).
  • Security Awareness: Train users to recognize and report phishing emails, a common entry vector for ransomware (M1017 - User Training).
  • Access Control: Secure remote access points like RDP with strong passwords and MFA. Enforce the principle of least privilege to limit an attacker's ability to move laterally (M1026 - Privileged Account Management).
  • Email Filtering: Use an email security gateway to block malicious attachments and links.

Timeline of Events

1
May 29, 2026
This article was published

MITRE ATT&CK Mitigations

Data Backup

M1053enterprise

Maintain offline and immutable backups to ensure recovery without paying the ransom.

Antivirus/Antimalware

M1049enterprise

Use modern EDR/antivirus solutions with behavioral detection to identify and block ransomware activity.

Mapped D3FEND Techniques:

D3-FCRD3-FHD3-PA

Network Segmentation

M1030enterprise

Segment networks to prevent ransomware from spreading from workstations to critical servers and backup systems.

Mapped D3FEND Techniques:

D3-BDID3-ETD3-ISVAD3-ITF

D3FEND Defensive Countermeasures

File Content Rules

D3-FCRMaps to MITREM1049
D3FEND

File Content Rules, often implemented as part of an Endpoint Detection and Response (EDR) or Data Loss Prevention (DLP) solution, can be highly effective in detecting and stopping ransomware like Gines. Security teams can create rules that monitor for the creation of files with specific names or content. For Gines, a high-confidence rule would be to detect any file created with the name +README-WARNING+.txt. Upon detection, the system can be configured to automatically trigger an alert, quarantine the host machine, and terminate the offending process. This can stop the ransomware in its tracks before it encrypts a significant portion of the file system. Another powerful use of this technique is creating 'honeypot' or 'canary' files on network shares. These files are given enticing names like Finance_Passwords_2026.xlsx and are monitored for any read or write activity. Since no legitimate user should ever touch these files, any interaction is a very strong signal of malicious reconnaissance or encryption activity, providing an early warning of an attack.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

Since new ransomware variants like Gines may not have known file hashes, detection must rely on behavioral process analysis. Modern EDR solutions are designed to do this. They monitor the chain of actions taken by a process and compare them to known malicious patterns. For a ransomware attack, this would involve detecting a single process that: 1) attempts to delete Volume Shadow Copies (via vssadmin or WMI calls), 2) enumerates a large number of files on local and network drives in a short period, 3) begins rapidly modifying and renaming files (e.g., adding the .gines extension), and 4) drops a ransom note file (+README-WARNING+.txt). By correlating these individual actions into a single high-confidence 'ransomware behavior' alert, the EDR can terminate the malicious process and its children, effectively halting the encryption process before it can cause widespread damage. This behavioral approach is crucial for defending against zero-day malware.

Sources & References

Weekly Intelligence Report – 29 May 2026
CYFIRMAMay 29, 2026
Gines Ransomware: A New Makop Variant Emerges with Double-Extortion Tactics
Security BoulevardMay 29, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

ransomwareGinesMakopthreat intelligencemalware analysisdouble extortion

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.