Increasing cases of Makop Ransomware Reported

/ Advisory, News & Events / By

Summary

The BtCIRT has recently received an increasing number of incidents related to MKP ransomware which is a new variant of the Makop ransomware  across various sectors in the country. While the majority of intrusions are traced back to insecure Remote Desktop Protocol (RDP) access, Makop operators are also known to exploit compromised credentials, unpatched systems, and malicious email attachments as alternative access points.

This advisory strongly urges all organizations to immediately assess and disable exposed RDP services, and to adopt a layered approach to hardening remote access and overall network security.

Observed Initial Access Vectors:

  • Exposed RDP Services:Often brute-forced or accessed using leaked credentials.
  • Phishing Emails: Containing malicious attachments or links leading to malware downloaders.
  •  Stolen or Leaked Credentials:From previous breaches or dark web marketplaces.
  • Unpatched Software or VPN Devices: Exploited to gain foothold without user interaction.

Immediate Recommendations

  1. Disable or Restrict RDP
  • Do not expose RDP (TCP 3389) to the internet.
  • If RDP is required:
    • Enforce access via VPN with MFA.
    • Restrict access to specific IPs using firewall rules.
    • Monitor for failed login attempts and unusual login times.
  1. Secure All Remote Access Points
  • Implement multi-factor authentication (MFA) for all remote access tools (VPNs, remote support software, cloud portals).
  • Limit administrative privileges and enforce least privilege access.
  • Regularly review and rotate remote access credentials. 
  • Follow zero trust architecture – log connections and secure the endpoint even if RDP is enabled only on the internal network. Assuming a threat actor has gained access to the network, they will try to move laterally through the open RDP service.
  1. Patch and Harden Systems
  • Apply the latest security patches to Windows systems, VPN appliances, and remote access software.
  • Remove or disable unused remote access tools (e.g., TeamViewer, AnyDesk, etc.).
  • Harden endpoint configurations (e.g., disable macros, enforce PowerShell logging).
  1. Prepare for and Detect Intrusions
  • Monitor logs for:
    • Unusual RDP session times
    • Access from foreign IP addresses
    • Creation of suspicious files (e.g., ransom notes, .mkp extensions)
  1. Backup and Recovery
  • Maintain regular, offline backups of critical systems.
  • Ensure backups are immutable and cannot be accessed via compromised credentials.
  • Test restore procedures periodically.

Indicators of Compromise (IoCs)

  • File extensions: .mkp
  • Ransom note filename: readme-warning.txt, readme.txt
  • Suspicious outbound connections to known C2 IPs or TOR domains
  • Mailbox: datastore@cyberfear.com or back2up@swismail.com

Reporting and Assistance

If you detect suspicious activity or are impacted by ransomware, Report Immediately to cirt@btcirt.bt. Submit IOCs and logs where possible to support broader threat tracking.

Exposed RDP remains the primary weakness exploited in current Makop campaigns. Disabling or tightly restricting RDP access should be treated as an emergency action. In parallel, review all remote access services and enforce strong authentication.

References:

  1. https://www.csk.gov.in/alerts/Makop_Ransomware.html
  2. https://www.cyber.nj.gov/Home/Components/News/News/192/
Scroll to Top