Makop ransomware encrypts user’s files using the AES256 algorithm and advises the victims to contact the attackers via Tox (P2P instant-messaging protocol). The ransomware imports an AES256 key that is used to decrypt a lot of strings, including an RSA public key. There is a mutex called “m23071644” created by the process to ensure that only one instance is running at a single time and a new process spawned by the malware that encrypts network shares. The Windows Product ID is extracted from the registry and is used to generate a personal ID that will also be present in the ransom note. The ransomware deletes all volume shadow copies and kills specific processes that could lock different targeted file types. The malware operators are aware of other ransomware families because they don’t encrypt possibly encrypted files by ransomware such as Shootlock, RAGA and origami. Two new AES256 keys are generated by the ransomware, which will be used interchangeably to encrypt the content of the files. A new initialization vector (IV) that consists of 16 bytes is generated and stored in the encrypted file, and the AES key used for encryption is encrypted using the RSA public key. There is no possibility to decrypt the files without knowing the RSA private key that corresponds to the hard-coded public one. Even if the operators pretend that they exfiltrate data from the network, we didn’t observe any network communications.
Download Makop Ransomware White Paper to learn more: