Embargo
Embargo is a Rust-based ransomware family and ransomware-as-a-service operation, also tracked as Storm-0501, first observed in April 2024 and publicly described as active through at least March 2026. It is used in double-extortion attacks in which data is exfiltrated before file encryption. Reporting in the provided content describes Embargo as an open-affiliate RaaS operation and notes assessments by multiple researchers that it is a probable successor or rebrand of BlackCat/ALPHV. Storm-0501 is identified as a primary affiliate associated with deploying Embargo, though that actor has also used other ransomware families.
Embargo’s toolchain includes the MDeployer loader and the MS4Killer EDR-killer toolkit. MDeployer has been used to decrypt payloads including the ransomware executable and MS4Killer using a hardcoded RC4 key. For persistence, Embargo has created a Windows service named irnagentd via a DLL variant of MDeployer, configured to launch after reboot in Safe Mode, and has also created a scheduled task named Perf_sys. The malware has modified and deleted Registry keys to add services and disable security solutions, including Windows Defender, and has used BAT scripts to weaken defenses.
A notable defense-evasion capability is its Bring Your Own Vulnerable Driver technique. Embargo has leveraged MS4Killer to deploy probmon.sys version 3.0.0.4, a vulnerable driver signed with a revoked certificate from ITM System Co., LTD., to terminate security products and other targeted processes and services. The content specifically notes termination activity against products including SentinelOne, Cylance, ESET, Defender, Bitdefender, Kaspersky, and Webroot. Embargo also performs service and process discovery using APIs including OpenSCManagerW(), EnumServicesStatusExW(), and CreateToolHelp32Snapshot(), and enumerates device volumes with FindFirstVolumeW(), FindNextVolumeW(), and GetVolumePathNamesForVolumeNameW().
For impact, Embargo encrypts files using ChaCha20 and Curve25519/X25519 and appends random 6-character hexadecimal extensions such as .b58eeb or .3d828a. It searches folders, subfolders, mounted drives, and networked drives to identify encryption targets, and avoids encrypting certain files and directories using a regular expression embedded in the binary. It inhibits recovery by emptying the Recycle Bin with SHEmptyRecycleBinW() and disabling Windows recovery with bcdedit /set {default} recoveryenabled no. The operation is also described as exfiltrating data with Rclone to MEGA or MegaSync before encryption, using a Tor-based leak site and ransom communications via a Tor registration portal and TOX, and dropping a ransom note named HOW_TO_RECOVER_FILES.txt.
Additional identifiers mentioned in the content include hardcoded mutex names IntoTheFloodAgainSameOldTrip and LoadUpOnGunsBringYourFriends. Victimology in the provided reporting indicates concentration in the United States, with technology and healthcare specifically noted among affected sectors. The content also states that TRM Labs traced approximately $34.2 million in cryptocurrency payments to the Embargo operation through mid-2025.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Initial Access Primary (Storm-0501): Exploitation of known N-day vulnerabilities in internet-facing applications: CVE-2023-29300 / CVE-2023-38203 (Adobe ColdFusion) | Embargo Ransomware (Storm-0501) Type: Ransomware-as-a-Service (RaaS) - Open Affiliate Model
Embargo Ransomware (Storm-0501) Type: Ransomware-as-a-Service (RaaS) - Open Affiliate Model | Initial Access Primary (Storm-0501): Exploitation of known N-day vulnerabilities in internet-facing applications: CVE-2023-4966 (Citrix NetScaler - "Citrix Bleed")
Embargo Ransomware (Storm-0501) Type: Ransomware-as-a-Service (RaaS) - Open Affiliate Model | Initial Access Primary (Storm-0501): Exploitation of known N-day vulnerabilities in internet-facing applications: CVE-2023-29300 / CVE-2023-38203 (Adobe ColdFusion)
Embargo Ransomware (Storm-0501) Type: Ransomware-as-a-Service (RaaS) - Open Affiliate Model | Initial Access Primary (Storm-0501): Exploitation of known N-day vulnerabilities in internet-facing applications: CVE-2022-47966 (Zoho ManageEngine RCE)
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Embargo has obtained persistence of the loader MDeployer by creating a scheduled task named "Perf_sys."
Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques
Execution
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
Persistence
5 techniques
Persistence
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
5 techniques
Privilege Escalation
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
7 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
Embargo has utilized MDeployer to decrypt two payloads that contain MS4Killer toolkit b.cache and the Embargo ransomware executable a.cache with a hardcoded RC4 key.
Embargo has utilized a hardcoded mutex name of "LoadUpOnGunsBringYourFriends" using the CreateMutexW() function. Embargo has also utilized a hardcoded mutex name of "IntoTheFloodAgainSameOldTrip."
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Defense Impairment
2 techniques
Defense Impairment
Discovery
5 techniques
Discovery
Embargo has obtained active services running on the victim’s system through the functions OpenSCManagerW() and EnumServicesStatusExW().
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
Embargo has searched for folders, subfolders and other networked or mounted drives for follow on encryption actions. Embargo has also iterated device volumes using FindFirstVolumeW() and FindNextVolumeW() functions and then calls the GetVolumePathNamesForVolumeNameW() function.
Embargo has searched for folders, subfolders and other networked or mounted drives for follow-on encryption actions.
Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.
Impact
4 techniques
Impact
Embargo has the ability to encrypt files with the ChaCha20 and Curve25519 cryptographic algorithms. Embargo also has the ability to encrypt system data and add a random six-letter extension consisting of hexadecimal characters such as ".b58eeb" or ".3d828a" to encrypted files.
Embargo has terminated active processes and services based on a hardcoded list using the CloseServiceHandle() function. Embargo has also leveraged MS4Killer to terminate processes contained in an embedded list of security software process names that were XOR-encrypted.
Other
2 techniques
Other
Examples include BlackByte performing Registry modifications to escalate privileges and disable security tools; LockBit 3.0 changing Registry values to disable SmartScreen and Windows Defender; TA505 using malware to disable Windows Defender through Registry modification.
BlackByte performed Registry modifications to escalate privileges and disable security tools. Embargo has modified and deleted Registry keys to add services, and to disable Security Solutions such as Windows Defender. TA505 has used malware to disable Windows Defender through modification of the Registry. During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications.
Recent activity
29 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of the ransomware operations with which hastalamuerte reportedly had prior experience.
A ransomware group referenced as the prior operation with which LARVA-368 was associated before launching ArmCorp/The Gentlemen.
A named ransomware operation referenced as one of the affiliate programs previously used by The Gentlemen founder.
Rust-based ransomware-as-a-service operation using double extortion. It exfiltrates data via Rclone to MEGA/MegaSync and encrypts files with ChaCha20 + Curve25519 ECC, appending random 6-character hex extensions and dropping HOW_TO_RECOVER_FILES.txt ransom notes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.