Embargo ransomware analysis exposes developing toolkit of new group
The Embargo ransomware group is a new and immature suspected ransomware-as-a-service (RaaS) gang that uses a custom Rust-based toolkit, including one variant that abuses Windows Safe Mode to disable security processes, according to an analysis published by ESET researchers Wednesday.
Embargo first emerged publicly in May 2024 and first appeared in ESET’s telemetry the following month. The group is suspected to be behind the attack on the American Radio Relay League conducted in May as well as a July attack on South Carolina police department.
The group was previously noted by Cyble researchers to bear some similarities to the defunct ALPHV/BlackCat group, including similarities in its leak site format and Rust-based ransomware binaries.
The new analysis by ESET unveiled more details about two tools utilized by Embargo, which appear to be in active development, evolving from sample to sample, the researchers reported.
ESET dubs the two key tools used by Embargo to facilitate its ransomware attacks "MDeployer" and "MS4Killer," which are both written in Rust.
:max_bytes(150000):strip_icc()/ar-goldfish-pepperidge-farm-2x1-05fd3fe2c6d74adca0510232baa62a06.jpg)
