S1247: Embargo
Embargo is a ransomware variant written in Rust that has been active since at least May 2024.[1][2] Embargo ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid.[1][2] Embargo ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts.[2] Embargo is also reportedly a Ransomware as a Service (RaaS).[2]
Analyst context for executives and security teams
Embargo matters because ATT&CK describes it as a Rust-based ransomware variant associated with double extortion: data theft before encryption and threats to publish files. Its listed platform scope spans Windows, Linux, and ESXi, which makes it relevant to both endpoint and virtualization recovery planning. For leaders, the key decision value is not only “can we detect ransomware,” but whether the organization can see discovery, persistence, service/process disruption, recovery inhibition, and encryption behaviors early enough to contain business interruption.
Executive priority
Treat Embargo as a ransomware resilience validation case. Confirm that incident response, backup recovery, privileged access controls, and monitoring cover Windows servers, Linux systems, and ESXi where applicable. Because ATT&CK links Embargo to double extortion and financial theft, executives should ask whether legal, communications, cyber insurance, and evidence-preservation processes are ready for both encryption and data-exposure decisions. Budget priority should favor controls that reduce ransomware blast radius: hardened administrative access, recoverable backups, service/process change visibility, and tested response procedures.
Technical view
ATT&CK provides no official detection text for Embargo, so defenders should build coverage from the listed relationships. Validate telemetry and analytics for discovery activity such as process, service, file/directory, and network share enumeration; Windows execution and persistence through command shell, scheduled tasks, services, service execution, Registry modification, and Run keys; stealth and defense impairment such as encoded files, decoding activity, file deletion, mutex-based execution constraints, selective exclusion, and Safe Mode boot abuse; and impact behaviors including service stop, recovery inhibition, data encryption, and financial extortion context. The description also notes delivery through MDeployer and use of MS4Killer to facilitate process termination, so IR playbooks should treat suspicious mass process/service termination as a high-priority ransomware precursor when paired with discovery or encryption signals.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows and Linux
- Windows Event Log data for scheduled tasks, services, Registry changes, Run keys, Safe Mode boot configuration, and service control activity
- Linux and ESXi host logs showing process enumeration, file traversal, service changes, and recovery-related changes
- File system telemetry for high-volume file modification, encryption-like rename/write patterns, file deletion, and exclusion patterns
- Network share access and enumeration logs, especially SMB share discovery on Windows environments
Detection direction
- Because MITRE does not provide an Embargo-specific detection recommendation, prioritize behavior-based detections mapped to the related ATT&CK techniques rather than relying on malware names alone.
- Correlate discovery activity with subsequent service/process termination, persistence creation, recovery inhibition, and high-volume file encryption; isolated administrative discovery commands may be benign, but clustered sequences should raise priority.
- Tune Windows detections around schtasks, cmd, service control, Registry modification, Run keys, and Safe Mode configuration changes, while accounting for legitimate administration and software deployment activity.
- For ESXi and Linux, validate that host and management-plane logging can show process discovery, file/directory traversal, service stopping, recovery/snapshot tampering, and encryption-impact patterns.
- Review blind spots around virtualization hosts, backup infrastructure, and systems where EDR does not load in Safe Mode or has limited coverage.
Mitigation priorities
- Prioritize resilient, tested backups and recovery paths that cannot be easily deleted or disabled from ordinary administrative accounts.
- Harden privileged access across Windows, Linux, and ESXi, including separation of duties for backup, virtualization, and domain/server administration.
- Restrict and monitor mechanisms commonly abused for execution and persistence, including scheduled tasks, services, service execution, command shell use, Registry Run keys, and startup locations.
- Protect endpoint and server security controls against tampering, Safe Mode bypass scenarios, and unauthorized process/service termination.
- Segment critical servers, virtualization management, and file shares to limit ransomware spread and reduce access to high-value data stores.
Analyst notes and limits
This take is based on ATT&CK S1247 Embargo in enterprise-attack version 19.1 and its supplied relationships. ATT&CK describes Embargo as Rust-based ransomware active since at least May 2024, associated with double extortion, reportedly RaaS, and known to be delivered through MDeployer with MS4Killer facilitating process termination. Relationship context also states Storm-0501 uses this object. Defensive planning should use those facts as prioritization context and validate against local telemetry before drawing conclusions.
No official ATT&CK detection guidance, aliases, labels, or object-level tactics were provided. The related techniques give strong behavioral direction, but they do not by themselves prove Embargo activity in an environment. Platform relevance is limited to the supplied platforms: ESXi, Linux, and Windows. Local logging depth, EDR capability, backup architecture, and incident evidence are required to assess actual exposure or coverage.
Embargo
Embargo is a ransomware variant written in Rust that has been active since at least May 2024.[1][2] Embargo ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid.[1][2] Embargo ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts.[2] Embargo is also reportedly a Ransomware as a Service (RaaS).[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1489 | Service Stop | Embargo has terminated active processes and services based on a hardcoded list using the `CloseServiceHandle()` function.CitationCyble Embargo Ransomware May 2024 Embargo has also leveraged MS4Killer to terminate processes contained in an embedded list of security software process names that were XOR-encrypted.CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Embargo has leveraged MS4Killer to deliver a vulnerable driver to the victim device, sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).CitationESET Embargo Ransomware October 2024 Embargo has utilized the vulnerable driver probmon.sys version 3.0.0.4 which had a revoked certificated from “ITM System Co.,LTD.”CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1657 | Financial Theft | Embargo has been leveraged in double-extortion ransomware, exfiltrating files then encrypting them, to prompt victims to pay a ransom.CitationCyble Embargo Ransomware May 2024CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1083 | File and Directory Discovery | Embargo has searched for folders, subfolders and other networked or mounted drives for follow on encryption actions.CitationCyble Embargo Ransomware May 2024 Embargo has also iterated device volumes using `FindFirstVolumeW()` and `FindNextVolumeW()` functions and then calls the `GetVolumePathNamesForVolumeNameW()` function to retrieve a list of drive letters and mounted folder paths for each specified volume.CitationCyble Embargo Ransomware May 2024 |
| Enterprise | T1688 | Safe Mode Boot | Embargo has used a DLL variant of MDeployer to disable security solutions through Safe Mode.CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1106 | Native API | Embargo has leveraged Windows Native API functions to execute its operations.CitationCyble Embargo Ransomware May 2024 |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1112 | Modify Registry | Embargo has modified and deleted Registry keys to add services, and to disable Security Solutions such as Windows Defender.CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1490 | Inhibit System Recovery | Embargo has cleared files from the recycle bin by invoking `SHEmptyRecycleBinW()` and disabled Windows recovery through `C:\Windows\System32\cmd.exe /q /c bcdedit /set {default} recoveryenabled no`.CitationCyble Embargo Ransomware May 2024 |
| Enterprise | T1679 | Selective Exclusion | Embargo has avoided encrypting specific files and directories by leveraging a regular expression within the ransomware binary.CitationCyble Embargo Ransomware May 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1135 | Network Share Discovery | Embargo has searched for folders, subfolders and other networked or mounted drives for follow-on encryption actions.CitationCyble Embargo Ransomware May 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Embargo has encrypted both MDeployer and MS4 Killer payloads with RC4.CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Embargo has utilized a BAT script to disable security solutions.CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1007 | System Service Discovery | Embargo has obtained active services running on the victim’s system through the functions `OpenSCManagerW()` and `EnumServicesStatusExW()`.CitationCyble Embargo Ransomware May 2024 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Embargo has obtained persistence of the loader MDeployer by creating a scheduled task named “Perf_sys.”CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Embargo has leveraged MDeployer to terminate the MS4Killer process, delete the decrypted payload files and a driver file dropped by MS4killer, and reboot the system.CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Embargo has modified the Windows Registry to start a custom service named irnagentd in Safe Mode.CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Embargo has created a service named irnagentd that executed the MDeployer loader after the system is rebooted in Safe Mode.CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1486 | Data Encrypted for Impact | Embargo has the ability to encrypt files with the ChaCha20 and Curve25519 cryptographic algorithms.CitationCyble Embargo Ransomware May 2024 Embargo also has the ability to encrypt system data and add a random six-letter extension consisting of hexadecimal characters such as ".b58eeb" or “.3d828a” to encrypted files.CitationESET Embargo Ransomware October 2024 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Embargo has created persistence through the DLL variant of the MDeployer toolkit by creating a service called irnagentd that launches after the system is rebooted in Safe Mode.CitationESET Embargo Ransomware October 2024 |
Groups, software, and campaigns
G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 82ae931d7937… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cyble Embargo Ransomware May 2024
Cyble. (2024, May 24). The Rust Revolution: New Embargo Ransomware Steps In. Retrieved October 19, 2025.
Open source URL -
[2]
ESET Embargo Ransomware October 2024
Jan Holman, Tomas Zvara. (2024, October 23). Embargo ransomware: Rock’n’Rust. Retrieved October 19, 2025.
Open source URL -
[3]
mitre-attack S1247Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.