The Rise of Embargo Ransomware: A Rust-Based Threat
Embargo ransomware has emerged as a new threat in the cybersecurity landscape, utilizing advanced Rust-based tooling developed by the group. ESET researchers have discovered a new toolkit comprising a loader and an EDR killer, named MDeployer and MS4Killer respectively. This innovative approach showcases the group’s sophistication and adaptability in creating and deploying ransomware.
Key Points Highlighted:
- Embargo is actively developing and testing new Rust-based tooling.
- Tools like MDeployer and MS4Killer show signs of ongoing development and refinement.
- The threat actor manipulates Safe Mode to disable targeted security solutions.
- Customization of tools for each victim demonstrates the group’s tailored approach.
Introduction to Embargo
Embargo, a relatively new player in the ransomware arena, first caught ESET’s attention in June 2024. The group made headlines for its use of Rust, a versatile programming language ideal for developing cross-platform malware targeting both Windows and Linux systems. This choice of programming language, coupled with their operational tactics, sets Embargo apart in the ransomware landscape.
The group’s operational methods involve setting up dedicated infrastructure for victim communication, utilizing encryption for extortion, and employing double extortion tactics to pressure victims into paying ransoms. Also, the group’s alleged involvement in Ransomware-as-a-Service (RaaS) indicates a network of affiliates working under the Embargo umbrella.
Understanding MDeployer
MDeployer, a primary loader tool used by Embargo, serves as the gateway for deploying MS4Killer and the Embargo ransomware onto compromised systems. This malicious loader decrypts and executes the payloads, ensuring a seamless execution flow for the ransomware attack.
One notable aspect of MDeployer is its ability to customize the decryption of payloads for each victim using a unique hardcoded RC4 key. This adaptability allows Embargo to tailor the attack for specific environments, enhancing their chances of successful infiltration and data encryption.
Abusing Safe Mode
A key component of MDeployer’s functionality involves leveraging Safe Mode to disable security solutions, a technique commonly used by advanced threat actors to evade detection and ensure successful ransomware deployment. By rebooting systems into Safe Mode, Embargo gains a tactical advantage in disabling targeted security programs.
Safe Mode, a diagnostic feature in Windows that operates with minimal functionality, provides threat actors with an opportunity to bypass security measures and execute malicious activities undetected. This technique has become a favored strategy among ransomware groups looking to maximize their impact on targeted systems.
Active Development and Improvements
Analysis of MDeployer reveals ongoing development, with multiple versions of the tool observed during incidents. Logical bugs and inconsistencies in the tool suggest that Embargo’s toolset is still evolving, indicating a continuous effort to refine and enhance their capabilities.
The unique approach of deleting the vulnerable driver used by MS4Killer showcases close collaboration between the two tools, highlighting the group’s commitment to refining their attack chain for optimal performance.
Insights into MS4Killer
MS4Killer, an EDR evasion tool developed in Rust, mirrors the capabilities of the loader by terminating security product processes through the deployment of a vulnerable driver. Inspired by existing proof-of-concept tools like s4killer, MS4Killer extends its functionality with additional features like process termination in a multithreaded environment and encryption of key elements to evade detection.
BYOVD Technique
Similar to MDeployer, MS4Killer utilizes the Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting a signed, vulnerable driver to gain kernel-level access for process termination. The use of this technique demonstrates Embargo’s ingenuity in circumventing security defenses to ensure successful ransomware deployment.
Custom Process Termination
A unique aspect of MS4Killer is its customization of process termination, targeting specific security solution processes based on an embedded list of process names. This tailored approach allows Embargo to effectively disable security products on compromised systems, further enabling the smooth execution of the ransomware payload.
Conclusion
Embargo’s utilization of advanced Rust-based tooling, including MDeployer and MS4Killer, signifies a new breed of ransomware threat in the cybersecurity landscape. The group’s adaptive tactics, dedication to ongoing development, and tailored approach to each victim underscore their sophistication and strategic capabilities.
As Embargo continues to refine its toolset and operational methods, cybersecurity professionals must remain vigilant and adaptable in defending against evolving ransomware threats.
For further inquiries or details regarding the research presented in this article, please contact threatintel@eset.com. ESET Research offers private APT intelligence reports and data feeds. Visit the ESET Threat Intelligence page for more information.
Appendix: Example of MS4Killer Termination Process List
| Process Names | Description |
| Sample Process 1 | Short description of the process |
| Sample Process 2 | Short description of the process |
| Sample Process 3 | Short description of the process |