Embargo ransomware: Rock’n’Rust

ESET researchers have identified a new Rust-based toolkit linked to the emerging Embargo ransomware, a group first noted in June 2024. This toolkit comprises MDeployer, a malicious loader, and MS4Killer, an EDR (Endpoint Detection and Response) killer, both written in Rust, which has become a preferred programming language for ransomware development due to its versatility on multiple platforms. The group specifically customizes its tools for each target, indicating a sophisticated approach to ransomware deployment.

The activity associated with Embargo includes incidents observed in July 2024 where the deployment of the new tooling was evident. The variability in versions of MDeployer and MS4Killer across different intrusions suggests continuous development, with indications of such tools being actively refined based on prior attempts. MDeployer serves a critical role by decrypting and deploying both MS4Killer and the ransomware payload, effectively managing the attack’s execution sequence.

Embargo’s operational model shows high resource availability, as they maintain their infrastructure for victim communications, including avenues like the Tox protocol. The group employs a double extortion tactic, not only encrypting victims’ files but also threatening to publicize their stolen data unless payment is made. This approach is indicative of the Ransomware as a Service (RaaS) model, where the group likely recruits affiliates by offering a compensation scheme, allowing their operations to expand amidst increased pressure on other ransomware groups from law enforcement.

The ransomware payload leaves a distinctive ransom note and encrypts files with a randomly generated six-character hexadecimal extension. The analysis draws parallels between Embargo and other ransomware groups that have adopted the use of Rust, such as BlackCat and Hive, positioning Embargo as part of a broader trend in modern ransomware development.

MDeployer is the primary tool within the Embargo arsenal, designed to facilitate ransomware deployment by managing additional payloads. It operates by decrypting files essential for the ransomware’s execution, employing a hardcoded key for this process. Furthermore, MDeployer’s functionality includes checks to ensure that the MS4Killer process is active, as failure to execute this correctly may halt the ransomware deployment.

A significant aspect of the Embargo toolkit’s strategy involves exploiting Windows Safe Mode to disable security solutions by manipulating system settings and configurations. This technique involves rebooting the system into Safe Mode, where minimal security measures are in place, thereby rendering detection and mitigation by standard security solutions less effective. The group uses a combination of administrative commands to implement this tactic, demonstrating sophistication and knowledge of system operations.

The MS4Killer tool, on the other hand, represents a targeted approach to evading defenses. By employing the Bring Your Own Vulnerable Driver (BYOVD) technique, it leverages vulnerable and revoked drivers to gain kernel-level access, enabling the termination of security software processes. This self-scripted tool—heavily inspired by pre-existing proof of concepts—highlights adaptability and quick response capabilities from the Embargo group, who modify their tools based on specific targets.

Evidence of ongoing development within the toolkit includes inconsistencies and debugging traces found in the versions analyzed. The variable structure and logical errors suggest that Embargo’s tools are not fully finished, indicating that the developers are iteratively testing and improving their functionality. The rapid alteration of tools during intrusions points to capabilities for on-the-fly adjustments based on immediate operational feedback.

As the researchers detailed, both MDeployer and MS4Killer not only focus on disabling security measures but reflect a comprehensive methodology to secure the successful execution and persistence of ransomware operations. Each tool’s role complements the overall strategy of the group, culminating in diversified and agile approaches to overcoming defenses in compromised environments.

In conclusion, the discovery of Embargo and its specialized Rust tools exemplifies the ongoing evolution of cyber threats in the ransomware landscape. The combination of tailored toolkits, strategic exploitation of system processes, and active development signifies a serious confrontation in cybersecurity, urging organizations to enhance their protective measures against sophisticated ransomware operations.