Embargo ransomware group has been making headlines recently for their innovative approach to cyber attacks. According to ESET researchers, the group has been deploying customized Rust-based tooling to bypass cybersecurity defenses and target US companies.

In July 2024, a new toolkit developed by Embargo was discovered during ransomware incidents. The toolkit consisted of a loader called MDeployer and an EDR killer named MS4Killer. What sets MS4Killer apart is its custom compilation for each victim’s environment, specifically targeting selected security solutions to ensure maximum impact.

What’s interesting is that all three tools – MDeployer, MS4Killer, and Embargo’s ransomware payload – are written in Rust. This choice of programming language suggests a strategic decision by the group’s developers to optimize their tools for efficiency and effectiveness.

Embargo Gang: A Formidable Adversary

The Embargo gang first emerged in June 2024 and has quickly established itself as a well-resourced operator in the cybercriminal landscape. Known for their double-extortion tactics, the group not only encrypts victims’ data but also threatens to leak it on a public site to add to the pressure.

ESET believes that Embargo operates as a ransomware-as-a-service provider, indicating a sophisticated business model behind their malicious activities. The group’s ability to adapt rapidly during attacks has also been noted, showcasing their agility and resilience in the face of security defenses.

According to ESET researchers, “The main purpose of the Embargo toolkit is to secure the successful deployment of the ransomware payload by disabling the security solutions in the victim’s infrastructure.” This demonstrates the group’s commitment to overcoming obstacles and ensuring their attacks are executed flawlessly.

MDeployer Loader: Facilitating Ransomware Execution

MDeployer plays a crucial role in the Embargo toolkit, acting as the main loader deployed on victims’ machines within the compromised network. Its primary function is to facilitate the execution of the ransomware and ensure seamless file encryption.

By executing both MS4Killer and the Embargo ransomware, MDeployer decrypts encrypted files dropped by a previous stage and orchestrates the encryption process. Once the system is encrypted, MDeployer cleans up after itself, deleting unnecessary files and rebooting the system to finalize the attack.

One unique feature of MDeployer is its ability to reboot the victim’s system into Safe Mode, effectively disabling selected security solutions and evading detection. This clever tactic allows threat actors to operate undetected and carry out their malicious activities without interference.

MS4Killer: The Ultimate Evasion Tool

MS4Killer is a powerful defense evasion tool developed by Embargo, utilizing a technique known as bring your own vulnerable driver (BYOVD) to terminate security product processes. By exploiting a vulnerable driver stored in a global variable, MS4Killer is able to shut down security products from the kernel level.

Embargo has enhanced MS4Killer’s capabilities by allowing it to run in a continuous loop, constantly scanning for processes to terminate, and hardcoding a list of process names in the binary for quick action. Once security tools are disabled, Embargo affiliates can execute the ransomware payload without fear of detection, ensuring their malicious intentions are carried out successfully.