/industry-wired/media/agency_attachments/2024/12/04/2024-12-04t130344212z-iw-new.png)
/industry-wired/media/agency_attachments/2024/12/04/2024-12-04t130332454z-iw-new.jpg)
/industry-wired/media/media_files/2025/12/17/makop-ransomware-surge-hits-india-how-to-protect-your-systems-2025-12-17-13-54-16.jpg)
/industry-wired/media/member_avatars/2025/07/24/2025-07-24t110227726z-humpy-adepu-2025-07-23-15-35-14-2025-07-24-16-32-35.png)
India Faces Makop Ransomware Attacks Exploiting Weak RDP, Outdated Systems, and GuLoader Distribution Techniques
A recent surge in Makop ransomware attacks has thrust India into the spotlight as one of the most heavily targeted countries worldwide. According to a new cybersecurity study, 55 % of recently identified victims of this ransomware strain are based in India, a striking trend that highlights persistent gaps in basic cyber hygiene among many local organisations.
Makop Evolves, Exploiting RDP and Passwords
Makop is not a newly emergent threat, as it is a type of the Phobos ransomware family, with the first detected samples dating back around 2020.
To note, however, is that while the recent attack is a continuation of earlier Makop threats, there is a sharp increase in the level of macro-level change observed within the associated malware distribution and execution tactics.
In previous versions, attackers have gained entry via improperly secured RDP communications and employed brute-force attacks and relatively low-level passwords to breach servers.
Makop Uses GuLoader, Exploits Weak Indian Systems
The notable aspect about this attack campaign is the use of GuLoader, which is considered an advanced downloader with the capability to allow the attackers to deliver the ransomware secretly and stealthily. Notably, it was the first time Makop was distributed using a loader, which makes it difficult to identify using traditional antivirus software.
According to experts, India's target is due to exposed RDP systems, poor use of passwords, old software, and the non-adoption of enhanced security controls. Even more worrying is the use of bespoke tools that remove commonly found local antivirus solutions like Quick Heal from the system by hackers.
Once inside a network, Makop not only encrypts files but also, in many cases, uses a combination of several tools for lateral movement, stealing authentication credentials, and privilege escalation, thereby weakening the compromised hosts and demanding ransom for relief.
How to Stay Safe
Internet security specialists emphasize that most of the problems exploited by Makop can be avoided with good basics:
- Remote Access Security: Exposed RDP should be disabled or secured with VPN and robust passwords along with two-factor authentication (2FA).
- Endpoint Security: A tool that hunts for malicious activity rather than just known patterns can help to catch loader-based attacks.
- Reliable backups: Offline or immutable backups mean organizations can restore their data without having to pay a ransom.
The emergence of Makop in India proves that, even in this country, where basic security best practices have not been adopted, there is money to be made from this malicious software.