Makop Ransomware Distributed As Copyright Violation Related Materials
The ASEC analysis team has recently shared information about the distribution of Makop ransomware disguised as job applications. This week, the team confirmed that the ransomware is being distributed via e-mails that contain materials related to copyright violation. Unlike the last time, the compressed file is attached with the .dat extension instead of .zip and to avoid the e-mail attachment scan, the date the mail was distributed was used as a password.
Inside the attached file, there is a file compressed with Alzip which contains three files as shown below.
Figure 1. Files inside the attachment
Among them, the image named original.jpg file is a normal executable file, and the other two are the same ransomware. The files have disguised themselves as CCleaner Installer as shown below.
Figure 2. Properties of files
When the ransomware file is run, it deletes the volume shadow copy and proceeds with the encryption using the commands shown below.
| vssadmin delete shadows /all /quiet wbadmin delete catalog -quiet wmic shadowcopy delete |
Execution commands
Also, to encrypt currently running files such as documents, the malware terminates processes that match names shown below among the running processes.
| msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsrvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe |
List of terminated processes
The folders, files, and extensions which are not encrypted are as follows. usagoo and pecunia extension were added to the existing ransomware list.
| boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, readme-warning.txt, desktop.ini |
Files excluded from encryption
| Makop, CARLOS, shootlock, shootlock2, 1recoesufV8Sv6g, 1recocr8M4YJskJ7, btc, KJHslgjkjdfg, origami, tomas, RAGA, zbw, fireee, XXX, element, HELP, zes, lockbit, captcha, gunga, fair, SOS, Boss, moloch, vassago, usagoo, pecunia, exe, dll |
Extensions excluded from encryption
For the encrypted files, the extension of .[random 8 characters].[pecunia0318@airmail.cc].pecunia is added, and a ransom note with the readme-warning.txt filename is created in the encrypted folder.
Encrypted files
Ransom note
This ransomware has been continually distributed as fake job applications and materials related to copyright violation. As such, users must proceed with extreme caution when approaching related materials. Also, it is required to refrain from opening files attached to an e-mail sent by an unknown user.
AhnLab’s anti-malware software, V3, detects and blocks the malware using the aliases below.
[File Detection]
Ransomware/Win.MakopRansom.C4439397
[Behavior Detection]
Malware/MDP.Behavior.M3635
