ESET researchers have uncovered new Rust-based tools that have led to the deployment of the Embargo ransomware. Embargo, a relatively new player in the ransomware landscape, was first detected by ESET in June 2024. The new toolkit comprises a loader and an EDR killer known as MDeployer and MS4Killer, respectively, according to ESET. Of particular note is MS4Killer, which is customized for each victim’s environment, targeting specific security solutions. Both tools are coded in Rust, the programming language favored by the Embargo group for developing its ransomware.
In July 2024, ransomware incidents targeted US companies, with the threat actor leveraging its new tooling. The variations observed in the versions of MDeployer and MS4Killer in each incident indicate active development of the tools. An interesting discovery was the presence of two different versions of MDeployer within a single incident, likely indicating adjustments made after an initial failed attempt.
This blogpost delves into the analysis of MDeployer and MS4Killer, shedding light on the activities leading up to the execution of the Embargo ransomware. MDeployer serves as a malicious loader for deploying MS4Killer and the Embargo ransomware. MS4Killer, on the other hand, functions as an EDR killer that exploits a vulnerable driver to disable security products running on the victim’s machine.
Embargo made its debut on the public stage in May 2024, attracting attention not only for successfully breaching high-profile targets but also for its unconventional choice of Rust as the programming language for its ransomware payload. The group operates its infrastructure for communicating with victims and applies pressure through double extortion tactics and data leak sites. The group’s operational structure hints at the possibility of it providing Ransomware as a Service (RaaS).
The payloads of the Embargo ransomware observed during the incidents in July 2024 exhibit certain common attributes, such as dropping a ransom note named HOW_TO_RECOVER_FILES.txt in each encrypted directory, appending random six-letter extensions consisting of hexadecimal characters to encrypted files, and creating a mutex named IntoTheFloodAgainSameOldTrip.
MDeployer, the primary malicious loader used by Embargo, is responsible for facilitating the attack by executing the ransomware and file encryption. In terms of execution, MDeployer decodes two encrypted files, a.cache and b.cache, dropped by a prior stage and then runs two payloads: MS4Killer and the Embargo ransomware. Notably, all versions of MDeployer leverage a hardcoded RC4 key for decrypting both payloads.
One significant aspect of MDeployer’s functionality is its abuse of Safe Mode to disable security solutions. By attempting to reboot the victim’s system into Safe Mode, the loader aims to strip away crucial cybersecurity measures, creating an opportunity for threat actors to operate undetected. This manipulate, known as Safe Mode abuse, is typically exploited by ransomware groups to evade detection and carry out their malicious activities.
In conclusion, the tools developed by Embargo, specifically MDeployer and MS4Killer, showcase a level of sophistication and customization rarely seen in other ransomware operations. The group’s active development and customization of its tools for each victim’s environment point towards a well-organized and resourced threat actor. The adoption of Rust as the primary language for developing its ransomware payloads further underscores the group’s commitment to staying ahead in the ransomware space.