SonicWALL Inc.
10/04/2024 | Press release | Distributed by Public on 10/05/2024 02:14
A look into Embargo Ransomware, another Rust-based ransomware
Embargo is a relatively new ransomware group that emerged in 2024. This group is known for using Rust-based malware and operating under a ransomware-as-a-service (Raas) model. Like many modern ransomware groups, Embargo employs double extortion tactics where they first exfiltrate sensitive data from their victims before encrypting their files. They then threaten to release the stolen data unless a ransom Is paid.
Infection Cycle
This ransomware uses an executable written in Rust. Examining its strings will show references to multitude of Rust libraries and crates used.
Figure1: Rust libraries and crates referenced in its strings
Here are some of the notable Rust crates used by this ransomware that will help understand its functionality:
- Clap_builder - command line argument parser
- Humantime - parser and formatter for durations and timestamps
- Log4rs - crate used for output logging
- Ignore - file/directory iterator; can be used to automatically filter out files and directories according to ignore globs
- Zeroize- Securely clear secrets from memory
- Winapi-util-0.1.6/src/sysinfo.rs - routines for querying various Windows specific properties such as Computer Name
- Chacha20 - Rust implementation of the ChaCha20 Stream Cipher, 256-bit stream cipher used to encrypt and decrypt data
This ransomware uses command line options as shown in the figure below.
Figure2: Embargo ransomware command line options
Executing this malware with the option for logging will create a log file showing every single file being successfully encrypted along with errors during runtime.
Figure 3: Runtime execution logging output to a file
Upon successful execution, encrypted files will be appended with random digits and a ransom note can be found in every directory where files have been encrypted.
Figure 4. Example of encrypted files within a directory
The ransom note will show instructions on how to recover files along with a threat that all sensitive data will be posted on their blog site.
Figure 5. Embargo ransom note
Embargo have targeted various organizations. Their blog on the onion network lists some of the victims that have allegedly not paid the ransom for which their data are now available to the public.
[Link] Figure 6: Embargo website on the onion network accessible using a Tor browser
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Embargo.RSM(Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.