How Are Embargo Ransomware Actors Abusing Safe Mode to Bypass Security?

ESET researchers have recently identified a new tactic employed by Embargo ransomware actors to disable security solutions by exploiting Safe Mode, which is typically used as a diagnostic environment for troubleshooting system issues. Safe Mode usually loads only the essential drivers and services required to run the system, providing a minimal environment for system repair. However, Embargo ransomware actors seize this limited functionality to bypass security measures and deploy their ransomware effectively.

Discovery and Initial Strategy

MDeployer and Scheduled Task

The emergence of the Embargo ransomware was first detected in June 2024. This ransomware is part of a broader ransomware-as-a-service (RaaS) operation that focuses specifically on U.S. companies. The attack begins with the deployment of MDeployer, a malicious loader developed in Rust. MDeployer gets activated through a scheduled task innocuously labeled “Perf_sys.” This task decrypts encrypted cache files using an RC4 encryption key and subsequently loads MS4Killer, another Rust-based tool designed to disable endpoint security measures.

BYOVD Technique

MS4Killer employs an advanced tactic known as "Bring Your Own Vulnerable Driver" (BYOVD) to disable security solutions. It leverages a compromised signed driver named “probmon.sys” to evade detection and block security software from functioning. Exploiting such vulnerabilities allows the malware to operate under the radar, essentially neutralizing any active defensive measures. Once the security solutions are disabled, MDeployer launches the Embargo ransomware payload, which encrypts files on the target system.

The Ransomware Process

File Encryption and Ransom Note

When the ransomware is activated, it encrypts a variety of files and appends them with random six-letter hexadecimal extensions. This effectively corrupts the data, rendering it inaccessible without the corresponding decryption key. Simultaneously, the ransomware deposits a ransom note named "HOW_TO_RECOVER_FILES.txt" in each affected directory, which instructs victims on how to pay the ransom to recover their files. Additionally, the ransomware creates a mutex called “IntoTheFloodAgainSameOldTrip” for system synchronization, ensuring that only one instance of the malware runs at a time.

Double Extortion Tactics

Embargo ransomware operators also use a double extortion strategy, a tactic where they threaten to release stolen data if the ransom is not paid. The actors communicate through their own infrastructure and the secure Tox protocol, adding another layer of complexity to their operations. This dual threat puts additional pressure on victims, making them more likely to pay the ransom to avoid the public exposure of sensitive information.

Advanced Encryption and Process Manipulation

XOR Encryption and Custom Decryption

MS4Killer utilizes advanced encryption strategies to obscure the critical components in its binary code. This complexity is achieved using the XOR cipher, a method of encryption that alters the binary data to make it unreadable without the correct decryption key. The malware employs a custom decryption function to reveal these components when needed. It also manipulates processes through the Windows API "OpenProcessToken" to gain the necessary permissions to execute its tasks without raising suspicions.

Driver Storage and Monitoring

The malware stores the vulnerable driver “probmon.sys” in two designated locations, securing it further with RC4 and XOR encryption. By monitoring and terminating security software processes, MS4Killer ensures that it can operate uninterrupted. This is done using the “SeLoadDriverPrivilege” for managing the driver and the “CreateServiceW” API to create and manage services as needed. Through strategic registry modifications, the malware maintains its presence and ensures the continued success of the attack.

Conclusion

ESET researchers have recently uncovered a new strategy being used by Embargo ransomware operators to disable security software by taking advantage of Safe Mode. Typically, Safe Mode is utilized as a diagnostic tool to help troubleshoot and fix system problems, as it only loads essential drivers and services needed to run the operating system. This restricted environment is designed to make it easier to address system issues by minimizing the number of running processes. However, Embargo ransomware actors are exploiting this minimalistic setting to circumvent security protocols. By operating within Safe Mode, they effectively bypass the limited security measures and deploy their ransomware more efficiently. This tactic represents a significant challenge for traditional security solutions, which may not be fully operational in Safe Mode and therefore unable to detect or stop the ransomware attack. The discovery highlights the evolving sophistication of cyber threats and the need for enhanced security measures that can operate in all system modes.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable