India has become the focal point of a growing Makop ransomware campaign, with new research revealing that the country accounts for more than half of all known victims. The trend reflects a broader shift in how ransomware groups operate, prioritising regions where exposed remote access systems, weak cyber hygiene, and delayed security updates remain common. While Makop itself is not new, changes in its delivery methods and a clear focus on Indian organisations have raised fresh concerns about how easily familiar weaknesses continue to be exploited .
Also read: Did you know ‘air-gapped’ PCs and networks exist that never connect to the internet? Here’s why
According to Acronis Research, 55 percent of Makop ransomware victims identified in recent investigations were based in India . This concentration is not random. Attackers tend to target environments where they can gain access quickly and operate with minimal resistance, and many small and mid sized Indian businesses still rely heavily on remote desktop access with limited security controls.
Makop first appeared around 2020 and is part of the Phobos ransomware family, which is known for targeted, hands on attacks rather than mass email campaigns. Unlike ransomware groups that depend on phishing links or malicious attachments, Makop operators often break directly into systems, giving them greater control over the timing and scope of an attack.
What makes the current wave significant is the scale of activity in India combined with a visible evolution in tactics. Researchers have observed Makop adapting its methods to better evade detection and increase success rates, signalling that even established ransomware families continue to refine their operations when they find favourable conditions.
Most Makop attacks begin with exposed Remote Desktop Protocol services. Attackers use automated tools to guess weak passwords or reuse credentials leaked from previous breaches. Once access is gained, the attackers typically scan the network, identify valuable systems, and steal credentials using widely available tools such as Mimikatz. They then move laterally across the network, disable security products, and finally deploy the ransomware to encrypt data.
Also read: DHRUV64 explained: Why India’s first 1.0 GHz, 64-bit indigenous processor matters
The key difference in the latest campaign is the use of Guloader, a loader malware that has now been linked to Makop for the first time. Loaders act as a stealthy middle step between the initial breach and the ransomware itself. Instead of immediately dropping the final payload, Guloader operates quietly, often in memory, and downloads additional components only after the attackers are confident they have control.
This approach makes detection more difficult and gives defenders less time to react. Researchers also found that attackers had built custom uninstallers designed to remove Indian antivirus products such as Quick Heal. In addition, they exploited legitimate administrative tools and old but still effective Windows vulnerabilities to escalate privileges. Many of these flaws have been known and patched for years, underscoring how outdated systems remain a major risk factor.
Makop’s success highlights how ransomware continues to thrive on basic security lapses. The first step to staying safe is securing remote access. RDP services should not be exposed directly to the internet wherever possible. If remote access is essential, it should be protected with strong, unique passwords and multi factor authentication. Restricting access through a VPN can significantly reduce the attack surface.
Regular patching is another critical defence. Keeping operating systems, servers, and applications up to date closes the vulnerabilities that attackers rely on for privilege escalation. Organisations should also routinely audit which services are publicly accessible and disable those that are unnecessary.
Endpoint security tools should be capable of detecting suspicious behaviour, not just known malware signatures. Since Makop now uses loader malware, behavioural detection becomes increasingly important. Regular security audits and basic staff awareness around password hygiene can further reduce risk.
Finally, reliable backups remain essential. Offline or immutable backups ensure that data can be restored without paying a ransom, even if an attack succeeds. Makop’s rise in India is a reminder that ransomware does not always depend on advanced exploits. In many cases, fixing the fundamentals is still the most effective protection.
Also read: World’s 1st byte-level AI models: Bolmo 7B and 1B explained, how are they different
