Acronis researchers found that most Makop attacks begin with breaking into unsecured Remote Desktop Protocol (RDP) systems.

A recent report by Acronis Research revealed that India accounts for 55% of the victims in recent Makop ransomware operations, making it the most targeted country for this threat. Attackers are exploiting weaker cybersecurity practices and common local antivirus solutions in the region.

Key Findings of the Acronis Report

Primary Entry Point: Most Makop attacks begin by compromising unsecured Remote Desktop Protocol (RDP) systems, often using automated tools to guess weak passwords.

Evolving Delivery Method: The ransomware is now being distributed through Guloader, a type of malware downloader, which helps the attackers better hide the ransomware from security software.

Bypassing Security: The threat actors use a mix of off-the-shelf tools, including network scanners, credential stealers (like Mimikatz), and utilities designed to disable or uninstall security products, including specific Indian antivirus software like Quick Heal.

Targeting SMBs: The Acronis findings suggest a significant risk for India's Small and Medium Businesses (SMBs) and critical sectors, highlighting a need for improved cybersecurity hygiene.

Acronis researchers found that most Makop attacks begin with breaking into unsecured Remote Desktop Protocol (RDP) systems. Attackers use automated tools to guess weak passwords and gain access. After entering, they follow a simple but effective playbook: scanning the network, stealing login credentials, moving deeper into systems, disabling security products, and then finally encrypting data. In many cases, they use known tools like Mimikatz for credential theft and network scanners to map the environment.

Ilia Dafchev, Senior Security Researcher, Acronis, said, “Makop is not a brand-new family of ransomware, but it is changing in ways that are impossible for defenses to ignore. Makop is being deployed using Guloader for the first time, which is a significant change from its typical manual, RDP-based distribution. This modification makes the ransomware more difficult to identify and indicates that even low-complexity attackers are using increasingly complex methods. The regional targeting pattern, 55% of the victims we saw were in India, where attackers even created tools to remove popular local security products, is particularly alarming. These results demonstrate a straightforward reality: businesses that have inadequate security measures or exposed RDP services continue to be highly vulnerable. Improving fundamental cyber hygiene is now essential to staying ahead of fast-evolving threats like these.”

Acronis warns that this combination of old vulnerabilities, weak passwords, and exposed remote access systems continues to put organizations at high risk. The Makop campaign reflects a broader pattern across ransomware groups: attackers often rely on basic security gaps that are easy to fix but widely ignored.

The company recommends that businesses immediately secure all remote access with Multi-Factor Authentication (MFA), apply regular patches, limit public RDP access, and deploy strong endpoint protection capable of detecting loaders like Guloader. Better password practices and regular security audits can also significantly reduce risk.

By - Aaradhay Sharma