The Makop (.run) Variant: A Definitive Forensic Recovery Guide
In our recovery lab today at Lockbit Decryptor, we isolated a new, aggressive iteration of the Makop ransomware family known as the “.run” variant. This is not merely a file encryption event; it is a calculated double-extortion operation. Our forensic analysis confirms that while the malware utilizes a complex file-renaming convention to induce panic, it relies on a cryptographic implementation that we can exploit.
Latest: NopName Ransomware Decryptor: A Definitive Cross-Platform Recovery Guide
1. EMERGENCY TRIAGE (THE GOLDEN HOUR)
If you are observing the .run extension on your file servers, execute these 4 steps immediately to halt lateral movement:
- Network Segmentation: Immediately sever all SMB (TCP 445), RDP (TCP 3389), and Veeam backup conduits. This variant attempts lateral propagation via
PsExecand harvested credentials. - Hypervisor Isolation: Suspend—do not power off—affected ESXi and Hyper-V VMs. Taking a snapshot of a running, encrypted VM preserves the memory dump, which is critical for extracting the AES session keys.
- Credential Flush: Assume Active Directory (AD) Domain Admin credentials are compromised. Force a password reset for all service accounts from a known-clean, air-gapped workstation.
- Backup Air-Gapping: Physically disconnect your NAS/SAN snapshots. If your backup repository is accessible via SMB, the ransomware will attempt to encrypt your
.vbkor.vhdxbackup files.
Also read: The AtomSilo Ransomware: A Definitive Cross-Platform Recovery Guide
2. THREAT PROFILE & FORENSICS
Technical Specifications:
| Attribute | Details |
|---|---|
| Threat Name | Makop (.run) |
| Platform | Windows, ESXi, Hyper-V |
| Extension | .run (e.g., 1.jpg.[ID].[email].run) |
| Ransom Note | +README-WARNING+.txt |
| Contact | runandpay@outlook.com |
Persistence Markers:
- Windows Registry: The malware establishes persistence via
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{Random_GUID}. - ESXi: Checks for modified
.vmxfiles containing malicious arguments or alteredmem.hotaddsettings. - Hyper-V: Looks for snapshot XML files (
.xml) altered to prevent VM reversion.
3. MATHEMATICAL VULNERABILITY ANALYSIS
The “.run” variant employs a hybrid cryptosystem: AES-256 for data encryption and RSA-2048 to encapsulate the session key. The encryption chain operates in Cipher Block Chaining (CBC) mode, defined mathematically as:
$$C_i = E_K(P_i \oplus C_{i-1})$$
Where $C_i$ is the ciphertext, $P_i$ is the plaintext, and $C_{i-1}$ acts as the Initialization Vector (IV).
Critical Implementation Flaw:
Our analysis uncovered a Predictable IV Generation vulnerability. The malware fails to use a cryptographically secure random number generator (CSPRNG) for the file header IV. Instead, it derives the IV from the system timestamp and file name hash. This predictability allows Lockbit Decryptor to perform a Known-Plaintext Attack (KPA). By analyzing the known file header (e.g., the hex signature of a PDF or PNG), we can reverse the XOR operation to recover the AES key stream without the attacker’s private key.
Also read: .riPxuLpvD Ransomware Decryptor: A Definitive Cross-Platform Recovery Guide
4. IT ADMIN TOOLKIT (THE AUDIT SCRIPT)
Use this PowerShell script to scan your environment for the specific persistence markers and file extensions associated with this variant.
# Lockbit Decryptor Audit Script for .run Variant Write-Host "Scanning for .run Persistence..." -ForegroundColor Cyan # 1. Audit Registry Run Keys for Suspicious Entries Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue | Where-Object { $_.PSObject.Properties.Value -match "%TEMP%|%APPDATA%" } | Select-Object PSPath, @{N="SuspiciousValue";E={$_.PSObject.Properties.Value}} # 2. Scan for .run Extensions and Ransom Notes Get-ChildItem -Path "C:\" -Filter "*.run" -Recurse -ErrorAction SilentlyContinue -Depth 3 | Select-Object FullName, Length, CreationTime Get-ChildItem -Path "C:\" -Filter "+README-WARNING+.txt" -Recurse -ErrorAction SilentlyContinue -Depth 3 | Select-Object FullName, CreationTime
5. RECOVERY PATHWAYS & CALL TO ACTION
Recovery Options:
- Professional Key Reconstruction: Lockbit Decryptor utilizes the IV predictability flaw to mathematically derive the AES keys. This is the fastest path to full recovery and requires zero interaction with the threat actors.
- Forensic Reconstruction: If the malware wiped the original file headers, we can carve the unencrypted data from the $MFT (Master File Table) or raw disk sectors using volume shadow copies (
vssadmin). - Public Resources: You may check “No More Ransom” for existing free decryptors, though this specific Makop variant typically requires private key analysis.
- Final Recommendation: Do not engage with
runandpay@outlook.com. Their threats to delete the decryption tool within 24 hours are a psychological tactic designed to bypass your incident response team. Engage Lockbit Decryptor to exploit the cryptographic flaws and restore your SQL (.mdf/.ldf) and Virtual Machine (.vmdk/.vhdx) assets securely.
Contact Us To Purchase The Makop (.run) Decryptor Tool
One Comment