A new ransomware strain called Embargo, written in Rust, has surfaced with its Darknet infrastructure. Using double extortion tactics, it resembles the recently seized ALPHV group. The novice gang already claims four victims from different countries.
Embargo Ransomware
In May 2024, cybersecurity researchers discovered a new ransomware group called Embargo. Written in Rust, Embargo uses fast encryption with ChaCha20 and Curve25519, making file recovery nearly impossible without paying the ransom.
After encryption, it adds a random 6-symbol extension to the files, with discovered variants using .564ba1, likely to change in the future. The use of Rust highlights the trend of adopting modern languages to bypass traditional security measures.
Embargo creators employ a classic double extortion method. Initially, they demand a ransom to unlock encrypted files. Then, after payment, they threaten to publish sensitive data online unless the victim pays for silence again. The average ransom from Embargo is approximately $1 million (15 BTC).
change this short Typically, the attack vector begins with phishing emails containing malicious attachments or links. Once clicked, the payload downloads and executes on the victim’s system. In essence, Embargo seeks specific instructions to control its actions upon execution. It targets directories R:\backups, \files01\finance, \10.0.3.2\D$\Accounting, creates a unique mutex identifier, and clears the recycle bin to hinder file recovery.
Additionally, it disables Windows recovery options, stops specific processes and services, and identifies connected drives and network resources to encrypt files. Embargo employs strong encryption methods like ChaCha20 and Curve, leaving a ransom note named HOW_TO_RECOVER_FILES.txt in each folder it encrypts. Thus, the ransomware locks files, making them inaccessible without a decryption key, which attackers offer in exchange for ransom.
Embargo shares operational similarities with ALPHV/BlackCat, a notorious ransomware group that recently ceased operations in an exit scam. Analysts highlight commonalities that suggest Embargo could be a variant of ALPHV ransomware:
- Codebase and infrastructure: A detailed analysis of Embargo’s code reveals similarities with ALPHV/BlackCat’s solutions, resembling a test sample of ALPHV ransomware released in 2022. While visually different, the new sample replicates the structure and syntax of the older one.
- Darknet site design: Like other ransomware groups, Embargo operates a Darknet site for negotiating and leaking data. However, the design of this page closely resembles that used by the BlackCat gang, with evidence of copying found in the HTML code.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment