The Embargo ransomware group is a new and immature suspected ransomware-as-a-service (RaaS) gang that uses a custom Rust-based toolkit, including one variant that abuses Windows Safe Mode to disable security processes, according to an analysis published by ESET researchers Wednesday.
Embargo first emerged publicly in May 2024 and first appeared in ESET’s telemetry the following month. The group is suspected to be behind the attack on the American Radio Relay League conducted in May as well as a July attack on South Carolina police department.
The group was previously noted by Cyble researchers to bear some similarities to the defunct ALPHV/BlackCat group, including similarities in its leak site format and Rust-based ransomware binaries.
The new analysis by ESET unveiled more details about two tools utilized by Embargo, which appear to be in active development, evolving from sample to sample, the researchers reported.
Embargo ransomware group relies on MDeployer, MS4Killer tools
ESET dubs the two key tools used by Embargo to facilitate its ransomware attacks "MDeployer" and "MS4Killer," which are both written in Rust.
MDeployer performs the tasks of decrypting and executing MS4Killer and the ransomware payload as well as logging errors and performing cleanup at the conclusion of the attack. MS4Killer is used to disable security tools on the victim machine and is customized for each victim to target specific security processes.
While the initial intrusion vector is not known, once MDeployer is installed on the victim machine, it decrypts MS4Killer from the encrypted file “b.cache” and drops and executes it as “praxisbackup.exe.” It then decrypts the Embargo ransomware payload from “a.cache” and drops and executes it as “pay.exe.” MDeployer used the same hardcoded RC4 key to decrypt both files in every case observed by ESET.
When it is executed, MS4Killer, which is believed to be based on the s4killer proof-of-concept tool available on GitHub, drops the vulnerable minifilter drive probmon.sys version 3.0.0.4 in a common technique known as “Bring Your Own Vulnerable Driver” (BYOVD). MS4Killer leverages this vulnerable driver to gain kernel-level code execution, enabling it to interfere with security software, the researchers wrote.
Unlike the original s4killer, Embargo’s version has the list of process names to be killed hardcoded into its binary, and also has the embedded driver blob encrypted in RC4. MS4Killer runs in an endless loop and constantly scans for processes to kill, the ESET researchers explained.
MDeployer logs errors that occur during its attack chain in a file titled “fail.txt,” and at the end of the attack — either after successful ransomware execution or after an error during loader execution that prevents the attack from continuing — it performs a cleanup routine that includes terminating the MS4Killer loop, deletes praxisbackup.exe, pay.exe and the vulnerable driver, and creating a file called stop.exe. Stop.exe is a flow control file that some versions of MDeployer check for to see if MDeployer has previously been executed and prevent double encryption.
The Embargo ransomware, also written in Rust, appends encrypted files with a random six-character extension containing letters and numbers (ex. .b58eeb) and drops the ransom note titled “HOW_TO_RECOVER_FILES.txt” in all encrypted directories. The ransomware group has its own infrastructure with which to secretly communicate with victims, the researchers found, but also provides the option to negotiate over Tox chat.
MDeployer variant abuses Safe Mode for evasion
The ESET researchers noted many signs that the group’s toolset is in active development, including several differences between different samples containing Embargo ransomware, multiple bugs, inconsistencies and “messy control flow” in the malware code, and instances where slightly different versions of the malware were deployed on the same machine, potentially indicating the attacker’s attempt to tweak the tools before trying again after an error.
One notable toolset variant discovered by ESET was a dynamic link library (DLL) version of MDeployer (which is ordinarily an executable file) that abuses Windows’ Safe Mode feature to disable security processes on its own when admin privileges are available.
If the DLL is executed as admin, MDeployer uses a combination of Windows command line tools to set Safe Mode as the default boot mode, disable Windows Defender in Safe Mode, create a service (irnagentd) that executes the loader after rebooting into Safe Mode and then restarts the system to trigger a Safe Mode reboot.
Once the system is in Safe Mode, irnagentd executes MDeployer again, which disables selected security tools by renaming their installation directories before ultimately executing the Embargo ransomware payload, the researcher described. After this, it deletes pay.exe and irnagentd, creates stop.exe and reboots back to normal mode.
If MDeployer is not run in admin mode, it instead executes MS4Killer and the Embargo ransomware as it normally would. An additional variant of the malware discovered by ESET attempts a third method for killing security processes — a batch script that similarly reboots into Safe Mode and renames the installation directories of selected security processes.
Overall, Embargo is an immature but ambitious ransomware group that appears to take pointers from other successful RaaS gangs through its use of the BYOVD method, abuse of Safe Mode and use of the versatile Rust programming language. ESET’s blog concludes with Embargo’s indicators of compromise (IoC) and tactics, techniques, and procedures (TTPs) to help organizations defend themselves from this new and developing threat.
