Embargo Ransomware Compromises Security Protections

A newly formed ransomware group has emerged with advanced capabilities, reportedly developing tools designed to bypass traditional security measures. This burgeoning threat is distinguished by its use of Rust-based tools, one of which exploits vulnerabilities in system drivers to circumvent endpoint defenses.

Research conducted by Eset has identified malware associated with the Embargo ransomware, which utilizes a bespoke loader along with an endpoint detection and response (EDR) termination tool. The ransomware first gained notoriety in April, coinciding with significant disruptions in the ransomware landscape, which included targeted law enforcement actions and the notable withdrawal of established players like BlackCat.

The Embargo group has asserted claims of compromising ten entities, including a non-bank lender in Australia, a police department in South Carolina, and a community hospital in Idaho, as showcased on their dark web leak site. In a June interview with a self-identified member, the group elaborated on its ransomware-as-a-service model, wherein affiliates reportedly retain up to 80% of the extorted funds.

Key components of the toolkit unveiled by Eset include MDeployer, which serves as a loader for deploying Embargo’s ransomware and other malicious payloads, and MS4Killer, engineered to disable endpoint detection systems by exploiting vulnerable drivers. Notably, both MDeployer and MS4Killer are developed in Rust, a programming language celebrated for its memory safety and efficiency, facilitating attacks on both Windows and Linux environments.

Upon infiltration, MDeployer decrypts and executes the MS4Killer tool, which is then followed by the main ransomware payload. Among the techniques used to achieve this is rebooting the compromised devices into Safe Mode, a reduced-functionality environment that may have its security mechanisms disabled.

Researchers noted slight variations in the versions of MDeployer and MS4Killer encountered during separate incidents, indicating an ongoing evolution and enhancement of the group’s operational toolkit. In one instance, two iterations of MDeployer were found within a single breach, hinting at a potential refinement following a prior unsuccessful attempt.

MS4Killer functions by utilizing a technique known as “bring your own vulnerable driver,” likely inspired by an earlier proof-of-concept tool named s4killer, but adapted by Embargo to enhance its effectiveness against real-world defenses. The tool operates in a continuous loop, scanning for running security processes to disable while employing multithreaded execution strategies.

In analyzing this attack through the MITRE ATT&CK framework, relevant tactics include initial access through exploitation of vulnerabilities, persistence via the custom loader, and privilege escalation through the manipulation of system drivers. These techniques underscore the sophisticated nature of the newly revealed Embargo ransomware group and its substantial threat to organizations across various sectors.