A new Acronis Research study reveals that India now accounts for 55% of organisations hit by the Makop ransomware group, making it the most targeted country in the world for this Phobos-family strain. The data points to a worrying pattern: attackers are homing in on markets where basic cyber hygiene is weaker and reliance on legacy or local security tools is high, allowing them to achieve maximum impact with relatively low-effort attack chains.
Makop, first observed around 2020, has historically relied on manually driven campaigns focused on exposed Remote Desktop Protocol (RDP) services. In the latest wave, Acronis notes that Makop’s operators are evolving their playbook while still exploiting the same well-known gaps—weak passwords, unpatched systems and poorly secured remote access.
GuLoader Marks a Major Shift in Delivery
The most notable change in Makop’s recent campaigns is its use of GuLoader, a downloader trojan typically associated with simple information stealers rather than full-blown ransomware. This is the first documented case of Makop being delivered via GuLoader, allowing the threat actors to better obfuscate their activity, stage secondary payloads and evade signature-based detection earlier in the kill chain.
By inserting GuLoader as an additional layer, the attackers can dynamically pull Makop or other malware, making incident response and attribution harder for defenders. Acronis researchers warn that this shift shows even relatively “low-complexity” ransomware operators are rapidly adopting more sophisticated delivery mechanisms once confined to top-tier threat groups.
RDP, Weak Credentials and Old Vulnerabilities Still Doing the Damage
Despite the new tooling, Makop’s initial access path remains painfully familiar. The group continues to brute force or spray weak RDP credentials on exposed servers, often using automated tools to cycle through username and password combinations at scale. Once inside, operators follow a repeatable playbook: deploy network scanners, move laterally, escalate privileges using long-known Windows vulnerabilities, dump credentials with tools like Mimikatz, and only then launch the ransomware encryptor.
Critically, many of the privilege escalation exploits Makop uses are years old, and could be neutralised through routine patching and better configuration management. This blend of outdated vulnerabilities, default or reused passwords, and open RDP ports continues to offer attackers a low-cost, high-success route into Indian organisations. For CXOs, the message is stark: the biggest ransomware risk is not zero-days, but neglected basics.
Targeted AV Killers and Indian-Specific Evasion
The study highlights how Makop’s operators have customised their toolset specifically for the Indian market. Investigators found tailored uninstallers designed to remove Quick Heal, a widely used Indian antivirus product, alongside the abuse of legitimate tools like Process Hacker to terminate security processes and delete protective software.
Beyond AV-killers, Makop also leverages the “bring your own vulnerable driver” technique—loading known-bad kernel drivers to gain system-level privileges and tamper with endpoint detection and response tools. This combination of regional adaptation and driver-based tampering underscores that attackers are studying the Indian security stack closely and tuning their campaigns to neutralise the exact products organisations depend on.
What Indian Enterprises Need to Do Now
Acronis’ guidance for organisations is blunt but practical. First, secure all remote access with multi-factor authentication, restrict or disable public-facing RDP wherever possible and enforce strong, unique passwords to neutralise brute-force attacks. Second, treat patch management and configuration hardening as board-level priorities, especially for internet-facing servers and domain controllers that can be used as launchpads for lateral movement.
On the detection side, enterprises should ensure their endpoint security can identify downloader malware such as GuLoader and watch for tell-tale signs like unexpected driver installations, AV uninstall attempts and anomalous RDP activity. Regular security audits, backup testing and incident response drills are essential to reduce dwell time and recovery costs when—not if—a ransomware attempt lands. As Acronis researcher Ilia Dafchev notes, Makop’s evolution is a reminder that attackers will keep innovating as long as basic defences remain optional rather than non-negotiable.
