Embargo ransomware: Rock'n'Rust

Tags

External References

• https://www.welivesecurity.com/
• https://otx.alienvault.com/

Description

ESET researchers have uncovered new Rust-based tools used by the Embargo ransomware group. The toolkit includes MDeployer, a loader that deploys MS4Killer and Embargo ransomware, and MS4Killer, an EDR killer that exploits a vulnerable driver. Embargo, first observed in June 2024, is a relatively new player in the ransomware scene that targets both Windows and Linux systems. The group's tools are actively developed and customized for each victim. MDeployer abuses Safe Mode to disable security solutions, while MS4Killer terminates security product processes using the Bring Your Own Vulnerable Driver technique. The analysis reveals ongoing development and adaptation of the tools during intrusions, suggesting the attackers can quickly modify and recompile their toolkit.

Date