LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Embargo

Embargo Ransomware: Rust-Based Toolchain, EDR Killing, and Double Extortion

Embargo is a ransomware group that emerged in mid-2024 operating a custom Rust-built toolchain including a BYOVD-based EDR killer and a dedicated dropper. The group runs a double-extortion operation with enterprise targeting across healthcare, manufacturing, and financial sectors.

By Ransomware Tracker ·
Embargoransomwaregroup profileRustBYOVDMS4KillerMDeployerEDR bypassdouble extortionhealthcaremanufacturing
Threat Level
8/10
Sectors Targeted
healthcare
manufacturing
finance
education
technology
Ransomware Family
Embargo

Embargo is a ransomware operation that emerged publicly in mid-2024, distinguished from most contemporaries by two technical characteristics: a fully custom toolchain written in Rust and a dedicated BYOVD (Bring Your Own Vulnerable Driver) component purpose-built to disable endpoint detection before encryption begins. Both decisions reflect a level of operational investment beyond what typical ransomware-as-a-service affiliates undertake, suggesting a development team with sustained resources and intent to operate at enterprise scale.

ESET and Symantec published technical analysis of Embargo’s tools in late 2024. Subsequent incident response data has confirmed the toolchain’s deployment against targets in North America, Europe, and the Middle East.

Toolchain: MDeployer and MS4Killer

Embargo’s operation uses two primary custom tools working in sequence before the ransomware payload executes.

MDeployer

MDeployer is a Rust-based dropper and deployment orchestrator. Its functions include:

  • Dropping and executing the MS4Killer BYOVD component
  • Deploying the Embargo ransomware payload to target systems
  • Ensuring execution order: EDR termination must complete before encryption begins
  • Anti-analysis features including environment checks and execution guards

Writing a dropper in Rust offers practical benefits for threat actors: Rust binaries have minimal standard library footprint by default, compile to native code with no interpreter dependency, and produce binaries that differ significantly in structure from C++ or .NET tooling that EDR behavioral rules are historically tuned for. Rust’s memory safety model also reduces the risk of exploit-catching bugs in the malicious tooling itself.

MS4Killer

MS4Killer is Embargo’s BYOVD component, named for its function of killing security products before encryption. BYOVD techniques work by loading a legitimate but vulnerable Windows kernel driver, then exploiting that driver’s vulnerability from userspace to execute code with kernel privileges. At kernel level, the tool can terminate protected processes, including endpoint security agents that protect themselves against termination from userspace.

MS4Killer specifically targets endpoint detection and response software, security monitoring agents, and antivirus products. ESET’s analysis identified that the component uses a legitimate (but vulnerable) driver to achieve kernel-mode access and then terminates security processes by name and by process hash.

The technique is well-documented in BYOVD research going back several years. What distinguishes Embargo’s implementation is its purpose-built, Rust-coded construction rather than the use of public BYOVD tooling or scripts. The driver used has varied across observed deployments, suggesting the group maintains the capability to rotate to new vulnerable drivers as vendors add existing ones to blocklists.

Ransomware Payload

The Embargo ransomware payload is also written in Rust. Technical characteristics observed in ESET’s analysis include:

  • Uses ChaCha20 for file encryption with RSA public key wrapping for the symmetric key
  • Implements multi-threading to accelerate encryption speed across available CPU cores
  • Targets network shares and mapped drives in addition to local volumes
  • Deletes Volume Shadow Copies to prevent recovery without paying the ransom
  • Deploys a ransom note with a Tor-based contact URL

The use of Rust for the payload itself is consistent with a growing trend among ransomware developers. Rust’s cross-platform compilation (one codebase can target Windows and Linux) makes it practical to build ESXi-targeting variants alongside Windows payloads. Whether Embargo has deployed Linux variants in production is not confirmed in public reporting, but the language choice makes it technically straightforward.

Operational Model

Embargo operates a double-extortion model: files are both encrypted and exfiltrated before the ransom note is deployed. The group maintains a dark web data leak site where victim data is listed and, following non-payment, published.

The ransom demands observed in public reporting are consistent with enterprise-scale targeting: demands in the millions of USD, scaled to victim organisation revenue. This is not opportunistic mass encryption targeting small businesses but deliberate large-enterprise targeting with reconnaissance conducted before deployment.

Evidence from incident cases and dark web communication leaks suggests Embargo operates with affiliates, meaning the development team provides the toolchain and infrastructure while affiliates conduct intrusions and split the ransom proceeds. This RaaS structure is now standard across the ransomware ecosystem.

Initial Access Patterns

Public reporting on Embargo intrusions identifies the following initial access vectors:

Exposed VPN and RDP credentials: Valid account credentials, acquired either through credential stuffing, infostealer logs, or initial access brokers, are the most common entry point. Embargo affiliates are not known to develop their own zero-day exploits; they rely on purchased access and credential abuse.

Phishing with initial access broker handoff: Some cases involve an initial infostealer infection via phishing, with the resulting credential sold to an Embargo affiliate through underground access broker markets.

Exploitation of unpatched edge devices: Consistent with most enterprise ransomware operations, unpatched VPN concentrators, remote access gateways, and management interfaces are targeted where credentials alone don’t provide sufficient access.

Post-compromise, affiliates conduct Active Directory reconnaissance before deploying MDeployer and MS4Killer. The reconnaissance phase typically involves tools like BloodHound for AD mapping and credential dumping for lateral movement to domain controller level before deployment.

Detection Opportunities

MS4Killer BYOVD execution: BYOVD attacks involve loading a vulnerable driver via sc.exe or Service Control Manager API calls. Monitor for:

  • Creation of new kernel services that are not in the organisation’s approved driver list
  • Driver files dropped to unusual paths (ProgramData, Temp directories)
  • Use of legitimate signed drivers that appear in known BYOVD driver blocklists

Microsoft maintains a recommended driver blocklist that blocks known-abused vulnerable drivers when HVCI (Hypervisor-Protected Code Integrity) is enabled. Enabling HVCI on Windows 11 endpoints significantly raises the barrier for BYOVD attacks.

MDeployer deployment: The dropper executing prior to encryption will exhibit process creation chains involving service installation or scheduled task creation. Unusual service creation by non-administrative users or from non-standard paths should trigger investigation.

Volume Shadow Copy deletion: Embargo deletes VSS copies as part of the ransomware execution. Monitor for vssadmin.exe delete shadows, wmic.exe shadowcopy delete, or equivalent PowerShell commands. These commands should be rare in production environments; alert on any execution.

Network share enumeration: Pre-encryption network enumeration (scanning for accessible SMB shares) from an endpoint that doesn’t typically conduct such activity is a pre-ransomware indicator.

Sectors and Geography

Embargo’s confirmed victim list through mid-2026 spans:

  • Healthcare providers and health systems (US and European targets confirmed)
  • Manufacturing (industrial manufacturing, automotive supply chain)
  • Financial services (insurance, financial advisory firms)
  • Education (higher education institutions)
  • Technology sector (software, managed service providers)

No geographic restriction has been observed in Embargo’s targeting, though North American and European organisations represent the majority of confirmed victims, consistent with the group’s enterprise revenue-based demand model.

References

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting