Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)

Embargo is a ransomware variant written in Rust that has been active since at least May 2024.(Citation: Cyble Embargo Ransomware May 2024)(Citation: ESET Embargo Ransomware October 2024) Embargo ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid.(Citation: Cyble Embargo Ransomware May 2024)(Citation: ESET Embargo Ransomware October 2024) Embargo ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts.(Citation: ESET Embargo Ransomware October 2024) Embargo is also reportedly a Ransomware as a Service (RaaS).(Citation: ESET Embargo Ransomware October 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Selective Exclusion - T1679 (9b00925a-7c4b-4e53-bfc8-9a6a806fde03)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Safe Mode Boot - T1688 (c7660f19-f8c5-4ae3-a5e5-24381c270376)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	Embargo - S1247 (82adb90e-43b8-4bce-9efe-afeba65457b2)	Malware	1
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2