Keypoints
- ESET identified Rust-written tooling (MDeployer and MS4Killer) used to deploy Embargo ransomware, first seen in June 2024.
- MDeployer decrypts two RC4-encrypted payloads (a.cache and b.cache), drops praxisbackup.exe and pay.exe, and orchestrates execution and cleanup.
- MS4Killer leverages a vulnerable signed driver (probmon.sys) via a BYOVD technique to terminate selected security processes and is custom-compiled per victim.
- The threat actor abuses Windows Safe Mode and uses services (irnagentd), registry edits, and bcdedit to disable defenses and persist across reboots.
- Evidence of multiple MDeployer/MS4Killer versions, compilation timestamps close to intrusions, and logical bugs indicate active, on-the-fly development and tailoring to victims.
- Embargo operates like a RaaS provider, pressures victims with double extortion, and exposes stolen data on a leak site while offering affiliate payouts.
MITRE Techniques
- [T1587.001] Develop Capabilities: Malware – Embargo authors custom Rust tooling (loader, EDR killer, and ransomware). (‘Embargo group develops its custom toolkit – MDeployer, MS4Killer, and Embargo ransomware.’)
- [T1059.003] Command-Line Interface: Windows Command Shell – A BAT script and cmd.exe commands are executed to disable protections and control reboots. (‘Embargo group executes a BAT script that disables security solutions.’)
- [T1059.001] Command-Line Interface: PowerShell – PowerShell was used to transfer MDeployer to target machines, likely via WinRM-fs-like tooling. (‘Embargo group uses PowerShell to transfer MDeployer to victims’ machines.’)
- [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence for the loader was achieved via a scheduled task named Perf_sys. (‘Embargo group uses scheduled tasks to run MDeployer on compromised endpoints.’)
- [T1569.002] System Services: Service Execution – The loader creates a service (irnagentd) to execute itself after setting Safe Mode as the next boot. (‘Embargo group uses a Windows service to execute MDeployer in Safe Mode.’)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Registry keys under SafeBoot are created to start a service in Safe Mode. (‘Embargo group modifies the Windows registry to start a custom service in Safe Mode.’)
- [T1136.002] Create Account: Domain Account – The actor creates domain accounts as part of their access and control over compromised environments. (‘Embargo group creates its own domain accounts.’)
- [T1562.001] Impair Defenses: Disable or Modify Tools – MDeployer, MS4Killer, and accompanying BAT scripts rename directories and terminate security product processes to disable defenses. (‘MDeployer, MS4Killer, and a BAT script disable security solutions.’)
- [T1562.009] Impair Defenses: Safe Mode Boot – The loader reboots systems into Safe Mode to reduce active protections before disabling security products. (‘MDeployer and a BAT script reboot into Safe Mode.’)
- [T1070.004] Indicator Removal: File Deletion – MDeployer deletes decrypted payloads and the dropped vulnerable driver during cleanup to remove traces. (‘MDeployer deletes dropped files during cleanup.’)
- [T1112] Modify Registry – Registry entries required for filter loading and SafeBoot service registration are created or altered for driver/service loading. (‘MS4Killer modifies the registry to load a legitimate vulnerable driver.’)
- [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – Payloads and embedded driver blobs are RC4-encrypted and some strings use XOR to hinder analysis. (‘Payloads loaded by MDeployer are RC4 encrypted.’)
- [T1135] Network Share Discovery – The ransomware performs discovery of network shares to locate targets for encryption. (‘Embargo ransomware performs network share discovery.’)
- [T1083] File and Directory Discovery – The ransomware enumerates files and directories as part of its encryption process. (‘Embargo ransomware performs file and directory discovery.’)
- [T1490] Inhibit System Recovery – The ransomware disables automatic Windows recovery to impede victims’ recovery options. (‘Embargo ransomware disables automatic Windows recovery.’)
- [T1486] Data Encrypted for Impact – The final impact is file encryption across compromised systems with ransom notes dropped in each encrypted folder. (‘Embargo ransomware encrypts files on compromised machines.’)
Indicators of Compromise
- [SHA-1 hashes] file identification – A1B98B1FBF69AF79E5A3F27AA6256417488CC117 (dtest.dll), 888F27DD2269119CF9524474A6A0B559D0D201A1 (praxisbackup.exe), and 5 more hashes.
- [Filenames] deployed binaries and payloads – praxisbackup.exe (MS4Killer), pay.exe (Embargo ransomware).
- [Driver filenames] abused legitimate driver – probmon.sys observed dropped as Sysmon64.sys or Sysprox.sys (vulnerable driver used by MS4Killer).
- [Service / scheduled task] persistence and execution – irnagentd (service created to run in Safe Mode), Perf_sys (scheduled task executing the loader).
- [Mutex / ransom note / extensions] ransomware artifacts – IntoTheFloodAgainSameOldTrip (mutex), HOW_TO_RECOVER_FILES.txt (ransom note), file extensions like .b58eeb or .3d828a.
- [File paths] deployment locations and caches – C:WindowsDebuga.cache, C:WindowsDebugb.cache, C:WindowsDebugfail.txt.
- [Certificate] abused signing certificate – Thumbprint A88758892ED21DD1704E5528AD2D8036FEE4102C (ITM System Co.,LTD certificate used for probmon.sys).
ESET first observed Embargo activity in June 2024 and found that the group uses Rust as its primary language to build a small toolkit that aids ransomware deployment. The two central components identified by ESET are MDeployer, a loader responsible for decrypting and launching payloads, and MS4Killer, an EDR-killing tool that abuses a signed vulnerable driver to terminate security processes. These tools were seen in incidents affecting U.S. companies in July 2024 and display slight version differences across intrusions, indicating active development and on-the-fly adjustments by the operator.
MDeployer’s main job is to locate two RC4-encrypted cache files, a.cache and b.cache, decrypt them with a hardcoded RC4 key (wlQYLoPCil3niI7x8CvR9EtNtL/aeaHrZ23LP3fAsJogVTIzdnZ5Pi09ZVeHFkiB), and write the decrypted payloads to disk as praxisbackup.exe (MS4Killer) and pay.exe (the ransomware). The loader launches MS4Killer first and then waits for it to run continuously, using WaitForSingleObject to check for a WAIT_TIMEOUT return; if MS4Killer exits early, MDeployer logs an error (‘sysmon exited early’) and aborts the second stage. After the ransomware completes encryption, MDeployer kills MS4Killer, removes the decrypted payloads and the vulnerable driver, writes a control file named stop.exe to avoid double encryption, and reboots the system.
A distinctive capability in some MDeployer samples (notably a DLL variant) is the abuse of Windows Safe Mode to neutralize defenses. When executed with administrative privileges, that branch of the loader configures Safe Mode as the next boot using bcdedit, creates a service named irnagentd (with registry modifications under SafeBoot), deletes Windows Defender entries for Safe Mode, and restarts the machine so the loader can run in an environment with reduced protections. In Safe Mode the loader renames installation directories of targeted security products to disable them, executes the ransomware, performs a cleanup (deleting pay.exe and the temporary driver), removes the irnagentd service, creates stop.exe and reboots back to normal mode. In at least one intrusion the Safe Mode disabling logic was implemented as a BAT script that mirrored the loader’s behavior, demonstrating that Embargo adapts its methods to a victim’s specific environment.
The MS4Killer component builds on a publicly available Rust proof-of-concept named s4killer and extends it to run continuously, scan for configured process names, decrypt an embedded vulnerable driver blob, and load that driver to perform kernel-level termination of selected processes. MS4Killer embeds probmon.sys (a vulnerable minifilter signed by a now-revoked ITM System Co.,LTD certificate) as an RC4-encrypted blob (RC4 key FGFOUDa87c21Vg+cxrr71boU6EG+QC1mwViTciNaTUBuW4gQbcKboN9THK4K35sL) and drops it as Sysprox.sys or Sysmon64.sys before loading it via FilterLoad. Many strings (log messages, process names, and the RC4 key) are XOR-obfuscated in the binary; once decrypted, MS4Killer compares running processes to the embedded list and terminates only the subset relevant to the victim’s installed security software. In multiple cases the MS4Killer samples were compiled just prior to attacks and appear to be tailored to the specific EDR/AV protecting the target.
Throughout the samples ESET analyzed there are signs that the toolkit is still maturing. MDeployer sometimes exhibits messy control flow and logical bugs, including instances where cleanup deletes pay.exe and the loader subsequently tries to execute that same file. The DLL variant contains several flaws that can prevent correct execution, which may explain why operators deployed multiple loader versions within the same incident as they iterated fixes in real time. Compilation timestamps that closely precede intrusions and evidence of rapid recompilation suggest the attackers can quickly modify source code and produce victim-specific binaries during an active compromise.
Operationally, Embargo shows behaviors typical of a well-resourced RaaS operation. The group maintains infrastructure to communicate with victims, publishes stolen files on a leak site, accepts alternative communications such as Tox, and appears to offer affiliate payouts, according to an interview with an alleged group member. The ransomware payload itself leaves consistent artifacts: a ransom note named HOW_TO_RECOVER_FILES.txt in each encrypted folder, encrypted file extensions composed of six hexadecimal characters (for example, .b58eeb or .3d828a), and the mutex IntoTheFloodAgainSameOldTrip. Earlier reporting also found a different mutex string derived from rock lyrics, which aligns with these findings.
From the defensive perspective the actors use a variety of tactics to ensure successful encryption: scheduled tasks (Perf_sys) created by an elevated user to run the loader, PowerShell delivery scripts resembling WinRM-fs file transporter patterns to move the loader from an unprotected host, creation and deletion of services and registry keys required for driver loading, and explicit commands to set and unset Safe Mode using bcdedit. Their cleanup routines attempt to remove evidence by deleting dropped files and drivers, and they alter system recovery to hinder remediation efforts. ESET reported the in-the-wild misuse of the probmon.sys driver to Microsoft.
In conclusion, the Embargo group employs Rust across its toolset and is actively developing and customizing components to defeat defenses and deploy ransomware. MDeployer and MS4Killer show overlapping capabilities to disable protections, and the attackers iterate quickly during intrusions to target specific security products. The combination of custom tooling, Safe Mode abuse, BYOVD use through a legitimate vulnerable driver, and affiliate-style operations supports the assessment that Embargo is functioning as a RaaS provider intent on maximizing encryption success through targeted defense suppression.
Read more: https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/