| Category | Details |
|---|---|
| Threat Actors | Embargo ransomware group (Rust-based ransomware). |
| Campaign Overview | Active since June 2024; targets US companies; uses MDeployer loader and MS4Killer EDR killer; evolving tooling with active development. |
| Target Regions (Victims) | US companies (July 2024 incidents observed). |
| Methodology | Uses Safe Mode to disable security solutions; tailored tools for each victim; deploys MS4Killer (EDR killer) and Embargo ransomware via MDeployer loader. |
| Product Targeted | Windows operating systems (via MDeployer and MS4Killer). |
| Malware Reference | Embargo ransomware, MDeployer (loader), MS4Killer (EDR killer). |
| Tools Used | Rust-based tools, MDeployer (for decryption and execution), MS4Killer (EDR killer), praxisbackup.exe, pay.exe. |
| Vulnerabilities Exploited | Exploits vulnerable drivers for MS4Killer to disable security solutions. |
| TTPs | – Safe Mode usage – Custom compilation of MS4Killer for victim’s environment – Double extortion (data leakage) – Use of encrypted files (RC4) for payloads |
| Attribution | Embargo, possibly RaaS provider; sophisticated and well-resourced group. |
| Recommendations | – Patch vulnerabilities affecting drivers – Enhance endpoint security to detect and block Rust-based ransomware and EDR killers |
| Source | WeliveSecurity |
Read full article: https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply