India has found itself at the epicenter of a growing wave of ransomware activity, as new findings from Acronis Research reveal that more than 55% of victims in recent Makop ransomware operations are based in the country. The data highlights a worrying trend — attackers are zeroing in on regions with weaker cybersecurity hygiene and easily exploitable software ecosystems.
A shift in Makop’s playbook
The Makop ransomware, first identified in 2020 and related to the notorious Phobos family, has evolved significantly over the past year. The latest Acronis study notes a major operational shift: Makop is now being delivered through Guloader, a type of loader malware previously seen in credential-stealing or low-grade infostealer campaigns.
By using Guloader as a delivery mechanism, attackers can obfuscate their activities and evade traditional antivirus tools, making detection far more difficult. According to Ilia Dafchev, Senior Security Researcher at Acronis, this change marks an escalation in attack sophistication:
“Makop isn’t new, but it’s evolving in ways that enterprise defenses can no longer afford to overlook. Using Guloader to deploy ransomware significantly increases its stealth, allowing even less skilled threat actors to carry out more complex operations.”
Why India is in the crosshairs
The disproportionate targeting of Indian businesses stems from several factors. Acronis researchers observed that Makop operators have custom-built uninstallers designed to remove popular Indian antivirus programs, including Quick Heal. Attackers also exploit legacy Windows vulnerabilities and rely on brute-force attacks through Remote Desktop Protocol (RDP) — a common remote-access method often found inadequately secured.
The report suggests that India’s rapid digital expansion, combined with uneven cybersecurity maturity among small and medium businesses (SMBs), has made it fertile ground for such campaigns. Attackers are deliberately searching for environments where they can exploit weak passwords, outdated systems, and exposed RDP services.
Simple mistakes, high stakes
Makop’s success underscores a hard truth: cybercriminals often thrive on exploiting basic, avoidable security lapses. Once attackers gain RDP access, they typically deploy tools like Mimikatz to harvest credentials and network scanners to map systems before disabling defenses and encrypting critical data.
Acronis researchers warn that defenses crumble faster when organizations fail to maintain proper hygiene, such as patching old vulnerabilities or deploying multi-factor authentication (MFA).
Recommendations to reduce risk
To counter this growing threat, Acronis recommends that organizations:
- Enforce Multi-Factor Authentication (MFA) for all remote access systems.
- Patch software and firmware regularly, especially known Windows vulnerabilities.
- Restrict public RDP access and use VPNs for remote work.
- Deploy endpoint protection with behavioral detection capable of recognizing loaders like Guloader.
- Strengthen password hygiene, incorporate monitoring for suspicious logins, and conduct routine security audits.
“These attacks remind us that the most effective defenses are often the simplest ones,” Dafchev added. “Routine patching and credential management can drastically reduce exposure to threats that continue to evolve in complexity.”
The bigger picture
The Acronis findings mirror a larger trend in global ransomware operations, where attackers are combining old vulnerabilities with new delivery mechanisms to maximize reach and minimize detection. For India’s SMB community, the wake-up call is clear: cyber hygiene is no longer optional.
With the country accounting for over half of Makop’s known victims, this research underscores an urgent need for enhanced security awareness, stronger endpoint protection, and stricter remote access management across industry sectors.
