In January 2021, I was able to publish a threat research piece for Orpheus Cyber, detailing a campaign by the Makop Ransomware-as-a-Service strain targeting South Korean entities.

While this relatively unknown ransomware strain did not leverage significantly new or sophisticated TTPs, some of its capabilities were relatively uncommon. This includes the following:

• Custom file extensions for affiliates- this specific campaign used the “.moloch” extension for encrypted files
• Leveraging the Windows Error Reporting service to communicate with command & control (C2) servers over HTTP
• Its targeting rationale focused mainly around South Korean entities such as universities and manufacturing related to defense R&D efforts, indicating a possible geopolitical dimension to the targeting.

You can read the full blog post on Orpheus’ website here: