S1247 Embargo
Embargo is a ransomware variant written in Rust that has been active since at least May 2024.12 Embargo ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid.12 Embargo ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts.2 Embargo is also reportedly a Ransomware as a Service (RaaS).2
| Item | Value |
|---|---|
| ID | S1247 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 19 October 2025 |
| Last Modified | 20 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Embargo has modified the Windows Registry to start a custom service named irnagentd in Safe Mode.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Embargo has utilized a BAT script to disable security solutions.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Embargo has created persistence through the DLL variant of the MDeployer toolkit by creating a service called irnagentd that launches after the system is rebooted in Safe Mode.2 |
| enterprise | T1486 | Data Encrypted for Impact | Embargo has the ability to encrypt files with the ChaCha20 and Curve25519 cryptographic algorithms.1 Embargo also has the ability to encrypt system data and add a random six-letter extension consisting of hexadecimal characters such as “.b58eeb” or “.3d828a” to encrypted files.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Embargo has utilized MDeployer to decrypt two payloads that contain MS4Killer toolkit b.cache and the Embargo ransomware executable a.cache with a hardcoded RC4 key wlQYLoPCil3niI7x8CvR9EtNtL/aeaHrZ23LP3fAsJogVTIzdnZ5Pi09ZVeHFkiB.2 |
| enterprise | T1480 | Execution Guardrails | - |
| enterprise | T1480.002 | Mutual Exclusion | Embargo has utilized a hardcoded mutex name of “LoadUpOnGunsBringYourFriends” using the CreateMutexW() function.1 Embargo has also utilized a hardcoded mutex name of “IntoTheFloodAgainSameOldTrip.”2 |
| enterprise | T1068 | Exploitation for Privilege Escalation | Embargo has leveraged MS4Killer to deliver a vulnerable driver to the victim device, sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).2 Embargo has utilized the vulnerable driver probmon.sys version 3.0.0.4 which had a revoked certificated from “ITM System Co.,LTD.”2 |
| enterprise | T1083 | File and Directory Discovery | Embargo has searched for folders, subfolders and other networked or mounted drives for follow on encryption actions.1 Embargo has also iterated device volumes using FindFirstVolumeW() and FindNextVolumeW() functions and then calls the GetVolumePathNamesForVolumeNameW() function to retrieve a list of drive letters and mounted folder paths for each specified volume.1 |
| enterprise | T1657 | Financial Theft | Embargo has been leveraged in double-extortion ransomware, exfiltrating files then encrypting them, to prompt victims to pay a ransom.12 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.009 | Safe Mode Boot | Embargo has used a DLL variant of MDeployer to disable security solutions through Safe Mode.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Embargo has leveraged MDeployer to terminate the MS4Killer process, delete the decrypted payload files and a driver file dropped by MS4killer, and reboot the system.2 |
| enterprise | T1490 | Inhibit System Recovery | Embargo has cleared files from the recycle bin by invoking SHEmptyRecycleBinW() and disabled Windows recovery through C:\Windows\System32\cmd.exe /q /c bcdedit /set {default} recoveryenabled no.1 |
| enterprise | T1112 | Modify Registry | Embargo has modified and deleted Registry keys to add services, and to disable Security Solutions such as Windows Defender.2 |
| enterprise | T1106 | Native API | Embargo has leveraged Windows Native API functions to execute its operations.1 |
| enterprise | T1135 | Network Share Discovery | Embargo has searched for folders, subfolders and other networked or mounted drives for follow-on encryption actions.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | Embargo has encrypted both MDeployer and MS4 Killer payloads with RC4.2 |
| enterprise | T1057 | Process Discovery | Embargo has utilized MS4Killer to detect running processes on the victim device.2 Embargo has also captured a snapshot of active running processes using the Windows API CreateToolHelp32Snapshot().1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Embargo has obtained persistence of the loader MDeployer by creating a scheduled task named “Perf_sys.”2 |
| enterprise | T1679 | Selective Exclusion | Embargo has avoided encrypting specific files and directories by leveraging a regular expression within the ransomware binary.1 |
| enterprise | T1489 | Service Stop | Embargo has terminated active processes and services based on a hardcoded list using the CloseServiceHandle() function.1 Embargo has also leveraged MS4Killer to terminate processes contained in an embedded list of security software process names that were XOR-encrypted.2 |
| enterprise | T1007 | System Service Discovery | Embargo has obtained active services running on the victim’s system through the functions OpenSCManagerW() and EnumServicesStatusExW().1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Embargo has created a service named irnagentd that executed the MDeployer loader after the system is rebooted in Safe Mode.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1053 | Storm-0501 | Storm-0501 has used Embargo for ransomware activities.34 |
References
-
Cyble. (2024, May 24). The Rust Revolution: New Embargo Ransomware Steps In. Retrieved October 19, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Jan Holman, Tomas Zvara. (2024, October 23). Embargo ransomware: Rock’n’Rust. Retrieved October 19, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025. ↩
-
Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025. ↩