Embargo ransomware: Rock'n'Rust

Oct. 24, 2024, 10:21 a.m.

Description

ESET researchers have uncovered new Rust-based tools used by the Embargo ransomware group. The toolkit includes MDeployer, a loader that deploys MS4Killer and Embargo ransomware, and MS4Killer, an EDR killer that exploits a vulnerable driver. Embargo, first observed in June 2024, is a relatively new player in the ransomware scene that targets both Windows and Linux systems. The group's tools are actively developed and customized for each victim. MDeployer abuses Safe Mode to disable security solutions, while MS4Killer terminates security product processes using the Bring Your Own Vulnerable Driver technique. The analysis reveals ongoing development and adaptation of the tools during intrusions, suggesting the attackers can quickly modify and recompile their toolkit.

External References

https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/
https://otx.alienvault.com/pulse/67197a32e7ec4dd27f690d0d
Tags
ransomware
rust
byovd
raas
2024-10-23
embargo ransomware
edr killer
safe mode abuse
ms4killer
mdeployer

Date

  • Created: Oct. 23, 2024, 10:35 p.m.
  • Published: Oct. 23, 2024, 10:35 p.m.
  • Modified: Oct. 24, 2024, 10:21 a.m.

Attack Patterns

  • MS4Killer
  • MDeployer
  • Embargo ransomware
  • Embargo

Additional Informations

  • Technology