Makop Ransomware (Analysis and Recovery Options)
This page details everything you need to know about Makop ransomware. If you have been hit by Makop ransomware and need help recovering your data, we're here to help.
Table of Contents
What is Makop ransomware?
Makop ransomware is a file-locking trojan.
Initially, Makop ransomware infections are difficult to notice or discover on your device.
Makop ransomware asks victims to contact the attackers via various email addresses. Makop victims are instructed to make payments through a TOR page using the exclusive ID that is created for their specific device.
Makop ransomware operators accept payment only in bitcoin and will decrypt several files for free to prove they have the working decryption utility.
Below is an example of a computer compromised by the Makop ransomware:
Makop Ransomware Indicators of Compromise (IoC)
There are several Makop ransomware Indicators of Compromise (IoC) that signal the malware is present on a victim computer.
Makop Encrypted Files
The ransomware generally renames Makop encrypted files per the diagram below.
Makop Ransom Note
The common Makop ransom note is a .txt file which is located in every folder on your infected computer/server.
Here are some examples of previous Makop ransom note names:
Some versions of the ransom note have a Q&A and others include information about the specific encryption used by Makop. They all provide the victim with instructions on what to do next if they want their files decrypted.
If you are looking to have your data recovered, it is important to not delete the Makop ransomware note as this information will be used during the ransomware recovery process.
Makop Virus Name and SHA1 Hash
The Makop ransomware virus has been discovered with the following names:
The Makop SHA1 hashes discovered are:
How to stop Makop Ransomware
You can stop Makop ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices.
Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.
How much will Makop ransomware recovery cost?
There are several factors that may influence the total cost of recovering files encrypted by the Makop ransomware. They include:
- Assessment fee
- Number of encrypted systems
- Selected priority of service
- Ransom demand amount
How much do Makop ransom demands cost?
Our data from Q4 of 2020 concludes that the initial average Makop ransom demand was $31,382.
Makop ransomware operators sometimes ask for an additional ransom payment after a set amount has been agreed (covered in below FAQ section)
Before revealing the initial ransom demand, the Makop ransomware attackers are known to ask victims to describe the type of user they are and the number of devices that are infected.
The graph below shows the comparison between the average initial ransom demand of Makop ransomware and other common variants.
Makop typically targets small and medium-sized businesses but is still considered one of the most profitable ransomware variants due to the volume of attacks.
Proven Data is experienced in helping to negotiate for a lower ransom demand from the Makop ransomware.
Based on our internal data, It is likely that the Makop operators determine their ransom demands based on the size and type of the victim’s organization.
How to decrypt Makop ransomware
If your files are locked from Makop ransomware, you’re trying to see what ransomware recovery options are available to decrypt your data.
Unlock Makop encrypted files
The encryption algorithm for Makop is too strong to be broken. Additionally, there are currently no known flaws in the malware that can be utilized for data restoration efforts.
This leaves victims of Makop with the only option of considering paying the ransom to obtain the decryption key and unlock their files.
As with many ransomware variants, we may be able to assist with restoring certain file types without paying the ransom. To find out more information, you can reach out to a Proven Data representative.
Makop Decrypter Instructions
The Makop decrypter is more complicated to use compared to other ransomware decrypters, given that it requires additional steps to decrypt your files.
Here are the steps to run the Makop decrypter tool:
- Ensure the decrypter does not contain malicious code (a ransomware recovery company should be able to help you with this).
- Disable anti-virus software on the machine you will be running the tool from. This includes Microsoft Defender.
- The tool provided by the threat actors is a scanning tool. Connect all the encrypted files to the system you are going to be running the scanner tool from. This includes mapping network shares and attaching external hard drives. This step is critical to ensure the scanning tool picks up all the public keys in the files you want decrypted.
- Right click the decryption executable file and run as administrator.
- A dialog box will pop up. Click ‘Scan PC’ to begin the scan.
- The scan will begin and will start picking up encrypted files and public keys it finds. The status ‘Scanning disks…’ will appear in the Scan field and the location currently being scanned will show in the title bar.
- When the scan is finished the output in the Scan field is your public key.
- Save the key as a text file to a location of your choosing by clicking the ‘Save to File’ button and naming the file.
- Email the text file with the public key back to the threat actor.
- If they honor the agreement, they will send you back the private key needed to unlock your files. Copy the key to a safe place.
- Open the same scanning tool again as an administrator on the system you scanned from.
- For the decryption method, you have two options:
- Decrypt all: decrypts all drive letters accessible from the system. To decrypt all, leave the ‘Decrypt path, leave empty to decrypt all mapped discs field’ blank.
- Decrypt folder: decrypter only a folder of your choosing. To decrypt only a folder, click the ‘…’ button in the main window and navigate to the folder you want to decrypt.
- By default, the option ‘Save encrypted files after restoration’ box is unchecked. If you haven’t made a backup of the encrypted files and have enough space on the system you are decrypting, it is recommended to tick the box.
- Paste the private key into the text box or use the ‘Load from file’ option to use a text file to load the private key. When copying, make sure you don’t copy any spaces as this could influence the process.
- Click ‘Decrypt’ to start decrypting.
- If the correct key was entered, the decryption will commence. The decryption key field will be grayed out and the title bar will show the location of the decrypter currently being processed.
- When the process is finished, a dialog box will pop up indicating the decryption is complete and it also tells you how many files were decrypted.
This Makop decryption tool and private key is only available if the victim chooses to pay the ransom as a method to unlock their encrypted files.
How long does it take to recover from a Makop ransomware attack?
There are several factors which contribute to the time it takes to recover from a Makop attack. These include:
- Cleaning the environment from malware
- Securing vulnerabilities
- Negotiation time
- Compliance checks & making the ransom payment
- Decrypting the data
- Size of the network
- Number of files, file sizes & types
- Backing up and verifying the data
For a network with 1-3 servers and 10-15 workstations it takes approximately 1-3 business days to complete the full recovery process.
What attack vectors did Makop ransomware use?
Makop ransomware primarily exploits unsecured RDP ports through brute force and dictionary attacks or by pushing stolen credentials online through the dark web.
We’ve previously outlined some of the most common ransomware attack vectors exploited by ransomware attackers.
Does Makop ransomware steal data?
Based on our internal forensic investigations and additional research, there has been no evidence that Makop ransomware attacks are known to steal data while on the victim network. However, since ransomware threat actors are constantly changing tactics, it is still critical to conduct a forensic investigation.
Preserving evidence from Makop ransomware
In order to determine what the attackers removed from your network, you will need a forensic investigation performed. If you are considering a forensic investigation, it is important to preserve the evidence as soon as possible.
Here are the steps to preserve the forensic evidence:
- Do not shut down the computer or server as this will erase some artifacts
- Create a forensically sound image and take it offline
- Download firewall, VPN, and remote software logs
- Document all information pertaining to the ransomware attack
Complete instructions on preserving ransomware evidence can be found as part of the ransomware forensics process.
Why choose Proven Data Makop ransomware recovery?
Businesses that suffer downtime from a ransomware attack need a proven, time-tested solution to resume operations. That’s why we provide 24/7 access to staff who have significant experience recovering from the Makop ransomware variant.
Our firm understanding of the Makop ransomware from our vast experience guides you to make informed decisions for your business. Understanding the attack vectors, threat actor profile, and negotiation expectations are essential to fully recover from the attack.
To meet compliance needs, we adopted a sanctions compliance program to ensure we are making ransom payments on behalf of our clients responsibly. At the service’s conclusion, we provide you with an incident and compliance report that can be used for insurance or law enforcement reporting purposes.
If you are looking for a transparent experience from a professional ransomware incident response company to help you move past your unfortunate Makop cyber incident, we are here to help.
Most frequent questions and answers
There are currently no publicly available Makop ransomware decryption tools to assist victims unlock their files.
If your files are encrypted by Makop, you may have to recover your data by:
- Recreating the data from scratch
- Restoring from backups
- Paying the ransom
No, it is currently not possible to decrypt Makop encrypted files without paying the ransom. However, there are some file types that can be repaired. You may ask a Proven Data representative about those file types.
Makop ransomware tends to have a high success rate of data restoration after paying the ransom and going through the decryption process.
Compared to other ransomware variants, the steps required to restore your data successfully from a Makop attack are a bit more complicated.
Here are some file types which may have problems decrypting or could require further troubleshooting:
- VHDX/VHD images
Paying the ransom in exchange for the decryption key does not always guarantee that a functional decryption key will be delivered. However, using the threat intelligence we have gathered from previous Makop ransomware cases, we can determine the threat actor’s past reputation and risk for data corruption to help you make informed decisions.
In 2020 our records indicate that Makop delivered the decryption tool after the first ransom payment on 88.9% of cases. In the other 11.1%, the threat actors demanded a second payment after agreeing to an amount.