Embargo ransomware: Rock'n'Rust

Oct. 24, 2024, 10:21 a.m.

Description

ESET researchers have uncovered new Rust-based tools used by the Embargo ransomware group. The toolkit includes MDeployer, a loader that deploys MS4Killer and Embargo ransomware, and MS4Killer, an EDR killer that exploits a vulnerable driver. Embargo, first observed in June 2024, is a relatively new player in the ransomware scene that targets both Windows and Linux systems. The group's tools are actively developed and customized for each victim. MDeployer abuses Safe Mode to disable security solutions, while MS4Killer terminates security product processes using the Bring Your Own Vulnerable Driver technique. The analysis reveals ongoing development and adaptation of the tools during intrusions, suggesting the attackers can quickly modify and recompile their toolkit.

Date

Published: Oct. 23, 2024, 10:35 p.m.

Created: Oct. 23, 2024, 10:35 p.m.

Modified: Oct. 24, 2024, 10:21 a.m.

Attack Patterns

MS4Killer

MDeployer

Embargo ransomware

Embargo

T1136.002

T1587.001

T1569.002

T1135

T1053.005

T1490

T1059.003

T1059.001

T1547.001

T1070.004

T1562.001

T1486

T1083

T1112

Additional Informations

Technology