Recent research has revealed that actors behind the Embargo ransomware are leveraging Safe Mode to disable security measures on compromised systems. Safe Mode, a diagnostic feature of operating systems, allows only essential drivers and services to load, making it easier to troubleshoot problems. By exploiting this mode, the ransomware group can operate with minimal interference from security solutions, thus facilitating their attacks. First detected in June 2024, Embargo has since targeted U.S. companies using advanced and customized tools specifically tailored to their victims’ environments.
The attack begins with the deployment of a malicious tool named MDeployer, which is usually initiated through a scheduled task titled “Perf_sys.” This loader decrypts two cache files, named “a.cache” and “b.cache,” using an RC4 encryption key. Once MDeployer is executed, it loads a second tool known as MS4Killer, which targets and exploits a vulnerable signed driver, “probmon.sys.” This driver is exploited via a technique referred to as “Bring Your Own Vulnerable Driver” (BYOVD), enabling the attackers to bypass existing security protocols.
Once security measures are disabled, MDeployer proceeds to deploy the Embargo ransomware payload. This malware encrypts files on the system, appending random six-letter hexadecimal extensions, such as “.b58eeb.” It also drops a ransom note titled “HOW_TO_RECOVER_FILES.txt” in each directory containing encrypted files. In addition to encryption, the group employs a double extortion strategy, threatening to publish stolen data on their leak site if their ransom demands are not met. This approach illustrates the group’s advanced capabilities, which have emerged in response to the disruptions faced by other prominent ransomware actors.
In addition to its sophisticated operational techniques, the MS4Killer tool utilizes an intricate encryption strategy to obfuscate critical components within its binary code. This includes logging message strings, an RC4 encryption key, and a list of target process names. By employing Windows API functions and strategic registry modifications, the malware effectively monitors and terminates security software processes, maintaining its stealthy operations. This advanced level of technical execution underscores the growing complexity of ransomware attacks and the need for organizations to bolster their cybersecurity defenses against such threats.
