Acronis Study Finds India Top Target Of Makop Ransomware

A new Acronis Research study has uncovered an important shift in how the Makop ransomware group operates, with India emerging as the most targeted country. The study shows that 55% of victims are based in India, indicating that attackers are focusing on regions where they can exploit weaker security practices and commonly used local antivirus solutions.

Makop, which first appeared around 2020 and is part of the Phobos ransomware family, has recently changed its delivery methods. The study documents the first known instance of Makop being distributed through Guloader, a loader malware usually used to drop simple information-stealing tools. This marks a major shift because using a loader allows attackers to better hide from security tools and makes the ransomware harder to detect.

Acronis researchers found that most Makop attacks begin with breaking into unsecured Remote Desktop Protocol (RDP) systems. Attackers use automated tools to guess weak passwords and gain access. After entering, they follow a simple but effective playbook: scanning the network, stealing login credentials, moving deeper into systems, disabling security products, and then finally encrypting data. In many cases, they use known tools like Mimikatz for credential theft and network scanners to map the environment.

Ilia Dafchev, Senior Security Researcher, Acronis, said, “Makop is not a brand-new family of ransomware, but it is changing in ways that are impossible for defenses to ignore. Makop is being deployed using Guloader for the first time, which is a significant change from its typical manual, RDP-based distribution. This modification makes the ransomware more difficult to identify and indicates that even low-complexity attackers are using increasingly complex methods. The regional targeting pattern, 55% of the victims we saw were in India, where attackers even created tools to remove popular local security products, is particularly alarming. These results demonstrate a straightforward reality: businesses that have inadequate security measures or exposed RDP services continue to be highly vulnerable. Improving fundamental cyber hygiene is now essential to staying ahead of fast-evolving threats like these.”

The study also shows that attackers are making extra effort to bypass security solutions. They use uninstallers created specifically to remove Indian antivirus software such as Quick Heal. They also use vulnerable drivers and legitimate tools like Process Hacker to disable protective software. To increase the chances of success, the Makop group uses several known Windows vulnerabilities for privilege escalation, some of which date back many years.

Acronis warns that this combination of old vulnerabilities, weak passwords, and exposed remote access systems continues to put organizations at high risk. The Makop campaign reflects a broader pattern across ransomware groups: attackers often rely on basic security gaps that are easy to fix but widely ignored.

The company recommends that businesses immediately secure all remote access with Multi-Factor Authentication (MFA), apply regular patches, limit public RDP access, and deploy strong endpoint protection capable of detecting loaders like Guloader. Better password practices and regular security audits can also significantly reduce risk.