Makop Ransomware Distributed As Copyright Violation Related Materials

The ASEC analysis team has recently shared information about the distribution of Makop ransomware disguised as job applications. This week, the team confirmed that the ransomware is being distributed via e-mails that contain materials related to copyright violation. Unlike the last time, the compressed file is attached with the .dat extension instead of .zip and to avoid the e-mail attachment scan, the date the mail was distributed was used as a password.

Inside the attached file, there is a file compressed with Alzip which contains three files as shown below.

Figure 1. Files inside the attachment

Among them, the image named original.jpg file is a normal executable file, and the other two are the same ransomware. The files have disguised themselves as CCleaner Installer as shown below.

Figure 2. Properties of files

When the ransomware file is run, it deletes the volume shadow copy and proceeds with the encryption using the commands shown below.

vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
wmic shadowcopy delete
Execution commands

Also, to encrypt currently running files such as documents, the malware terminates processes that match names shown below among the running processes.

msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsrvc.exe, mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe
List of terminated processes

The folders, files, and extensions which are not encrypted are as follows. usagoo and pecunia extension were added to the existing ransomware list.

boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, readme-warning.txt, desktop.ini
Files excluded from encryption
Makop, CARLOS, shootlock, shootlock2, 1recoesufV8Sv6g, 1recocr8M4YJskJ7, btc, KJHslgjkjdfg, origami, tomas, RAGA, zbw, fireee, XXX, element, HELP, zes, lockbit, captcha, gunga, fair, SOS, Boss, moloch, vassago, usagoo, pecunia, exe, dll
Extensions excluded from encryption

For the encrypted files, the extension of .[random 8 characters].[pecunia0318@airmail.cc].pecunia is added, and a ransom note with the readme-warning.txt filename is created in the encrypted folder.

Encrypted files
Ransom note


This ransomware has been continually distributed as fake job applications and materials related to copyright violation. As such, users must proceed with extreme caution when approaching related materials. Also, it is required to refrain from opening files attached to an e-mail sent by an unknown user.

AhnLab’s anti-malware software, V3, detects and blocks the malware using the aliases below.

[File Detection]
Ransomware/Win.MakopRansom.C4439397

[Behavior Detection]
Malware/MDP.Behavior.M3635

[IOC Info]
237d76f961f8f550c4c4bbfab30153a6

Categories:Malware Information

Tagged as:,

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments