Makop ransomware attacks in India intensify

Makop ransomware attacks in India have increased sharply, according to a new study that highlights a shift in both geographic focus and technical approach. The findings show that 55 percent of identified victims are based in India, pointing to a deliberate strategy that targets organisations with weaker security controls and exposed remote access systems.

The campaign reflects how ransomware groups continue to succeed by exploiting basic security gaps rather than relying solely on advanced techniques.

Delivery methods evolve with Guloader

Makop, first observed around 2020 and linked to the Phobos ransomware family, has altered how it is deployed. The study documents the first known use of Guloader to distribute Makop, marking a change from its traditional manual deployment through compromised Remote Desktop Protocol systems.

Using a loader allows attackers to conceal malicious activity more effectively and complicates detection by security tools, making infections harder to identify at an early stage.

RDP access remains the primary entry point

Researchers found that most Makop ransomware attacks in India begin with unauthorised access to unsecured RDP services. Attackers rely on automated tools to guess weak passwords and gain entry.

Once inside, the process follows a consistent pattern. Networks are scanned, credentials are stolen, lateral movement takes place, security software is disabled and data is eventually encrypted. Tools such as Mimikatz are used for credential theft, while network scanners help attackers map systems before launching the final stage.

Targeted efforts to bypass security software

The study shows that attackers are taking additional steps to neutralise defensive tools. Custom uninstallers have been developed to remove Indian antivirus products, including Quick Heal. In other cases, vulnerable drivers and legitimate utilities such as Process Hacker are used to disable protection.

Privilege escalation is achieved by exploiting known Windows vulnerabilities, some of which have existed for years, increasing the likelihood of a successful attack once initial access is gained.

Broader risks tied to basic security gaps

According to Acronis, the Makop campaign highlights a wider trend across ransomware operations. Attackers continue to rely on a combination of exposed remote access, weak passwords and unpatched systems.

Ilia Dafchev, Senior Security Researcher, Acronis, said Makop’s use of Guloader represents a significant shift that makes the ransomware harder to detect and shows how even low-complexity actors are adopting more sophisticated techniques. The high concentration of victims in India, combined with tools designed to remove local security software, underlines the scale of the risk.

Recommendations for reducing exposure

The study recommends immediate steps to reduce vulnerability to Makop ransomware attacks in India. These include securing all remote access with Multi-Factor Authentication, applying regular security patches and limiting public exposure of RDP services.

Organisations are also advised to deploy endpoint protection capable of detecting loader-based threats, improve password practices and conduct regular security audits to close gaps that attackers continue to exploit.

Read More:

How Zoom is reinventing its partner ecosystem in India & APAC

IFSEC India 2025 signals a structural shift in how India thinks about security

How Tiger Analytics is reimagining enterprise AI from POC to production