Threat Research

The Rust Revolution: New Embargo Ransomware Steps In

Cyble

Keypoints

  • CRIL identified a sample of Embargo ransomware developed in Rust.
  • The threat actors use double extortion, exfiltrating data before encrypting files.
  • Initial ransom reportedly demanded was $1 million, with threats to notify victims’ clients, employees, partners, investors, stakeholders, and government authorities if not paid.
  • Embargo’s leak-site UI resembles ALPHV’s, and ALPHV’s leak site was taken down by law enforcement in March 2024.
  • Log generation and some binary structures between Embargo and ALPHV appear similar, suggesting Embargo may be a rewritten ALPHV variant.
  • Embargo uses ChaCha20 and Curve25519 for encryption and appends “.564ba1” to encrypted files, with at least four victims disclosed globally.

MITRE Techniques

  • [T1204.002] User Execution – Brief description of how it was used. Quote: “Malicious file.”
  • [T1070.004] Indicator Removal: File Deletion – Brief description of how it was used. Quote: “Ransomware deletes itself after execution.”
  • [T1140] Deobfuscate/Decode Files or Information – Brief description of how it was used. Quote: “Contains encrypted strings.”
  • [T1083] File and Directory Discovery – Brief description of how it was used. Quote: “Ransomware enumerates folders for file encryption and file deletion.”
  • [T1135] Network Share Discovery – Brief description of how it was used. Quote: “Target Network Shares”
  • [T1486] Data Encrypted for Impact – Brief description of how it was used. Quote: “Ransomware encrypts the data for extortion.”
  • [T1490] Inhibit System Recovery – Brief description of how it was used. Quote: “Disable automatic Windows recovery”

Indicators of Compromise

  • [SHA256] Embargo Ransomware (Windows) – 98cc01dcd4c36c47fc13e4853777ca170c734613564a5a764e4d2541a6924d39
  • [SHA256] Embargo Ransomware (ESXi) – 7bfb789f5825f17a01cccd2fbd62635ce20f6ed7e488fded20549a806371aeb6
  • [SHA256] Embargo Ransomware (Linux) – e6b6503217b0cf50e262a6a843624068f8f6a96441d241695893e6cab3c60a2c
  • [File Extension] Encrypted files extension – .564ba1

Read more: https://cyble.com/blog/the-rust-revolution-steps-in/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint