Introduction
The Embargo ransomware group [1] [2] [4] [5] [6] [7] [8] [10] [11], identified in June 2024 [10], represents a new and evolving threat in the cybersecurity landscape. This group has developed a sophisticated Rust-based toolkit designed to deploy ransomware while effectively bypassing cybersecurity defenses. Their operations have targeted US companies, demonstrating the capability to attack both Windows and Linux systems.
Description
The Embargo ransomware group [1] [2] [4] [5] [6] [7] [8] [10] [11], first identified in June 2024 [10], is a novice threat actor that has developed and tested a sophisticated Rust-based toolkit designed to deploy its ransomware while effectively bypassing cybersecurity defenses. This toolkit comprises two primary components: MDeployer [4], a malicious loader [4] [5] [10], and MS4Killer [3] [4] [5] [6] [7] [8] [9] [10] [12] [13], an endpoint detection and response (EDR) killer [1] [2] [4] [6] [7] [9] [11] [13]. Both tools are custom compiled for each victim’s environment [4], specifically targeting selected security solutions to enhance their effectiveness. They have been observed in ransomware attacks against US companies in July 2024 [5], capable of targeting both Windows and Linux systems [9].
MDeployer serves as the main loader [5] [10], facilitating the execution of the ransomware and the encryption of files [5]. It exploits Safe Mode to disable security measures [8], ensuring a seamless attack, and attempts to reboot the system into this mode when executed with administrative privileges, as many defenses are inactive in Safe Mode [5]. MDeployer executes both MS4Killer and the ransomware payload while also decrypting two files [5] [10], a.cache and b.cache [5], that were previously dropped [5]. After the encryption process is complete [5], it terminates the MS4Killer process [5] [10], removes the decrypted payloads and a driver file associated with MS4Killer [5], and reboots the system [5] [10], ensuring a clean exit from the attack. Different versions of MDeployer have been observed during intrusions, indicating active development and the ability of attackers to modify and recompile their tools in real-time.
MS4Killer specializes in terminating security product processes using the Bring Your Own Vulnerable Driver (BYOVD) technique [4]. This method allows it to exploit signed, vulnerable kernel drivers for kernel-level code execution [6] [13], enabling the group to manipulate security solutions protecting the targeted infrastructure effectively [13]. MS4Killer continuously scans for running processes to kill [4], utilizing a hardcoded list of target process names [4] [10], and is designed to run indefinitely in an endless loop, employing multiple threads for efficient execution [9]. It operates from the kernel by installing and exploiting a vulnerable driver stored in a global variable [5], with the process identifier of the target process provided as an argument [5]. Its features include encrypted binary strings and an embedded driver blob [4], which contribute to its stealthy operation. The design of both MDeployer and MS4Killer reflects a strategic intent to maximize the effectiveness of their operations by replicating security-disabling functionalities at different phases of the attack.
The Embargo group employs a double-extortion strategy, exfiltrating data and threatening to publish it while encrypting files [10]. Their ability to adapt tools during active intrusions indicates a significant investment in evasion tactics throughout the attack process. The use of Rust for both the toolkit and the ransomware payload reflects a strategic choice aimed at enhancing performance, efficiency [6] [9], and security due to its memory safety features and low-level capabilities [9]. The well-resourced nature of the Embargo gang allows them to create custom tools tailored to each victim and maintain infrastructure for communication with victims, solidifying their position in the ransomware landscape. The concurrent deployment of MDeployer and MS4Killer underscores their collaborative functionality, further enhancing the group’s operational effectiveness against targeted security measures.
Conclusion
The emergence of the Embargo ransomware group highlights the increasing sophistication of cyber threats and the need for robust cybersecurity measures. Organizations must prioritize the implementation of advanced security protocols and continuous monitoring to mitigate such threats. The group’s ability to adapt and customize their tools in real-time suggests that future ransomware attacks may become even more targeted and difficult to defend against. As the cybersecurity landscape evolves, staying informed and prepared is crucial for safeguarding against these advanced threats.
References
[1] https://www.eset.com/nl/over/newsroom/persberichten-overzicht/persberichten/eset-research-ontdekt-nieuwe-ransomware-groep-embargo-gebruikt-toolkit-die-beveiligingsoplossingen-uitschakelt/
[2] https://www.channelconnect.nl/security-en-privacy/eset-research-ontdekt-nieuwe-ransomware-groep/
[3] https://www.eset.com/fr/about/newsroom/press-releases/recherche/ransomware-embargo-outils-personnalises-securite/
[4] https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/
[5] https://ciso2ciso.com/embargo-ransomware-gang-deploys-customized-defense-evasion-tools-source-www-infosecurity-magazine-com/
[6] https://www.eset.com/int/about/newsroom/press-releases/research/new-ransomware-group-embargo-uses-toolkit-that-disables-security-solutions-eset-research-discovers-1/
[7] https://www.emerce.nl/wire/eset-research-ontdekt-nieuwe-ransomwaregroep-embargo-gebruikt-toolkit-die-beveiligingsoplossingen-uitschakelt
[8] https://thenimblenerd.com/article/rust-in-peace-embargo-ransomwares-new-toolkit-spells-trouble-for-u-s-cybersecurity/
[9] https://www.bankinfosecurity.com/embargo-ransomware-disables-security-defenses-a-26603
[10] https://www.infosecurity-magazine.com/news/embargo-ransomware-defense-evasion/
[11] https://www.dutchitleaders.nl/news/511576/eset-research-ontdekt-nieuwe-ransomware-groep-embargo
[12] https://www.welivesecurity.com/es/investigaciones/embargo-ransomware-utiliza-herramientas-desactivar-soluciones-seguridad/
[13] https://www.computable.nl/persberichten/embargo-nieuwe-ransomware-schakelt-beveiligingsoplossingen-uitaldus-eset/