Ransom Group: Embargo

Who: Ransomware group

What: Uses advanced techniques and double extortion against victims

When: Last observed in November 2024

Where: Group targets medical practices in the U.S but has capability to target outside typical victim

Why: Primary motive is financial gain

Who are they?
The Embargo ransomware group, first identified in June 2024, has quickly established itself as a well-resourced and sophisticated cyber criminal actor. The group has targeted various sectors, including healthcare, government, and financial institutions. One notable victim is Memorial Hospital and Manor in Georgia, where Embargo has threatened to release 1.15 terabytes of sensitive data unless a ransom is paid by an imminent deadline. Other victims include healthcare providers such as Weiser Memorial Hospital in Idaho and police departments across the U.S. The group appears to operate as a ransomware-as-a-service (RaaS) provider, offering affiliate payouts for attacks carried out using its tools.

Tools, Tactics and Procedures (TTP)
Embargo leverages a Rust-based toolkit to disable security defenses before deploying its ransomware payload. Key components include MDeployer, a loader, and MS4Killer, an endpoint detection and response (EDR) killer, both of which are tailored to specific victims or modified dynamically during attacks. Notably, Embargo employs Safe Mode reboots to disable security tools, exploiting the reduced defenses in this diagnostic mode. Additionally, MDeployer uses a "bring your own vulnerable driver" (BYOVD) technique, exploiting legitimate but vulnerable drivers to bypass protections and disable endpoint security.

  1. Initial Access: Embargo gains initial access through exploitation of vulnerable software such as browser, premimeter router or phishing attack.
  2. Malware deployment : Threat actor deliver MDeployer and two encrypted files to compromised systems. After which MDeployer executes deycrypts associated files and deployes MS4Killer (praxisbackup.exe).
  3. Security Mode Exploit : MS4Killer disables security software by terminating processes and exploiting a legitimate but vulnerable driver (Sysmon64.sys). The tool runs continuously to ensure defenses remain inactive.
  4. Safe Mode Exploit : If MDeployer is executed with administrative privileges, MDeployer forces the system into Safe Mode by editing the registry, where many security tools are inactive. It renames security software directories to render them nonfunctional.
  5. Ransomware Execution : The ransomware payload encrypts files and drops a ransom note named HOW_TO_RECOVER_FILES.txt. Files are given a unique six-character extension (e.g., .b58eeb).
  6. Clean up: MDeployer terminates MS4Killer and deletes files introduced during attack and rebooted.

The group’s sophisticated tactics underscore its ability to evade traditional defenses and adapt tools in real-time. Embargo is actively developing and refining its techniques, reflecting a sustained commitment to innovation. A signature of their operations is double extortion, where victims are coerced to pay for decrypting data and preventing the public release of stolen information, escalating the financial and reputational stakes for targeted organizations.

Mitigation Measures for Ransomware

  • Day-to-Day Management:

    • Regular Patching: Ensure all software, operating systems, network devices, and IoT devices are consistently patched to address known vulnerabilities.

    • Safe Mode Preparedness: Configure security software to remain operational in Safe Mode, mitigating attackers’ attempts to disable defenses during system reboots.

  • Access Control:

    • Restrict Administrative Privileges: Minimize the use of administrative accounts to reduce the risk of malicious tools executing with elevated permissions.

    • Enforce Multi-Factor Authentication (MFA): Require MFA for all privileged accounts to add an additional layer of security against unauthorized access.

    • Network Segmentation: Implement segmentation for key infrastructure, user devices, and backups to isolate systems and limit exposure during an attack.

  • Backup and Recovery:

    • Offline Backups: Maintain updated offline backups of critical data and systems mitigating loss of data and speedy recovery.

    • Regular Testing: Periodically test backups for restoration to confirm reliability in the event of a ransomware incident.

Summary:

The Embargo ransomware group is an alarming and rapidly escalating threat, targeting critical sectors like healthcare industries with devastating precision. Armed with sophisticated tools, they disable security defenses, exploit Safe Mode vulnerabilities, and execute double extortion tactics while threatening public exposure. Organizations without adequate cybersecurity measures or proactive mitigation strategies are at significant risk from Embargo's tailored attacks, which can disrupt operations and cause severe financial and reputational damage. If your organization hasn’t implemented robust ransomware defenses, now is the critical time to act.
Sources

  1. ESET Research. (2024). New ransomware group Embargo uses toolkit that disables security solutions, ESET research discovers. Retrieved from https://www.eset.com/int/about/newsroom/press-releases/research/new-ransomware-group-embargo-uses-toolkit-that-disables-security-solutions-eset-research-discovers-1/

  2. ESET Research. (2024). Embargo ransomware: Rock'n'Rust. Retrieved from https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/

  3. The Register. (2024). Microsoft sounds alarm over Storm-0501 ransomware attacks. Retrieved from https://www.theregister.com/2024/09/27/microsoft_storm_0501/


Previous
Previous

Cyber Security Governance