Ransomware continues to evolve, and the Makop strain is a stark reminder of how attackers adapt to evade traditional security tools and exploit basic network weaknesses. A recent CybersecurityNews.com report highlights how Makop combined brute-force Remote Desktop Protocol (RDP) attacks with advanced privilege escalation and antivirus bypass tools to infiltrate business networks. Cyber Security News
How Makop Breaks In
Makop is part of the Phobos ransomware family, first identified in 2020. According to CybersecurityNews.com, recent campaigns have blended simple yet effective tactics with increasingly sophisticated methods. The attackers begin by targeting RDP systems exposed to the internet, using brute-force tools to crack weak or reused credentials on publicly facing services.
Once access is gained, the attackers deploy a suite of tools to scan the network, steal credentials, escalate privileges, and disable security defenses. This includes network scanners, credential dumping utilities, and techniques to terminate endpoint detection or antivirus software.
Makop’s operators have also incorporated GuLoader, a malware downloader used to deliver secondary payloads, indicating how even widespread threats are adopting more complex delivery mechanisms.
Security Evasion and Privilege Escalation
Traditional defenses are being sidestepped at every step. Makop operators leverage a technique called “Bring Your Own Vulnerable Driver” (BYOVD), where they use legitimate but vulnerable signed drivers like ThrottleStop.sys and hlpdrv.sys to gain kernel-level access. These drivers are abused to terminate endpoint detection and response (EDR) tools and antivirus products, allowing the attackers to move undetected deep into the system.
Once defenders are disabled, attackers can steal credentials, escalate privileges, and deploy the ransomware payload. The result is often encrypted business data, operational disruption, and costly recovery efforts.
What makes this trend especially concerning is that many of the exploited vulnerabilities are old and well-documented—meaning they are avoidable with proper patching and containment strategies—but remain effective due to poor hygiene in many environments.
Why Detect and Respond Isn’t Enough
Most traditional endpoint protection solutions rely heavily on detection: signatures, heuristics, and behavior analysis that try to identify and block known threats. But Makop’s success shows the limitations of that model:
-
Attackers enter via commonly enabled services like RDP.
-
They use publicly available tools rather than unique malware.
-
They disable detection tools before deploying ransomware.
-
They leverage legitimate artifacts to evade conventional controls.
This means that solutions focused on detecting and responding to threats are often already too late. By the time an alert fires, the attackers may have already gained full control over systems and initiated encryption.
The Case for Isolation and Containment
Instead of chasing the latest threat signatures or analyzing behavior after the fact, a fundamentally different approach is to stop unauthorized actions altogether. That is where AppGuard shines.
AppGuard has a 10-year track record of preventing breaches by enforcing strict isolation and containment of untrusted code. Rather than trying to guess what malware looks like, AppGuard stops risky behavior at its source:
-
Blocks unauthorized code execution
-
Prevents privilege escalation
-
Stops lateral movement
-
Protects critical processes from tampering
Because it stops malicious actions instead of merely detecting them, AppGuard prevents attacks before they unfold. This is especially important against tactics like BYOVD and EDR/AV bypass, which are designed to blind detect-and-respond tools.
With AppGuard, known and unknown threats are contained without requiring constant signature updates or extensive tuning. This approach dramatically reduces attack surfaces and ensures that even advanced threats like Makop fail to execute in the first place.
A Strategic Shift for Business Owners
The threat landscape clearly favors attackers who can exploit weak controls and blind spots in traditional defenses. Relying on “detect and respond” alone is no longer adequate for businesses seeking to protect data, operations, and reputation.
If you are responsible for cybersecurity in your organization, it is time to rethink your strategy. Isolation and containment are not optional—they are essential.
Talk with us at CHIPS about how AppGuard can prevent incidents like the Makop ransomware attacks and strengthen your defenses. Let’s move beyond chasing alerts and start stopping threats before they ever take hold. Contact us today to learn more and protect your business with a proven endpoint protection solution.
Like this article? Please share it with others!
Comments