We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/Embargo.DA!MTB
Aliases: No associated aliases
Summary
Ransom:Win32/Embargo.DA!MTB is a ransomware delivered under a Ransomware-as-a-Service (RaaS) scheme. It is a sophisticated ransomware since its main binary is built in Rust, which allows it to run as a cross-platform malware while being difficult for security software to analyze and block. The threat actors behind Embargo use a dual extortion strategy for ransom, exfiltrating data before encrypting files on the target network, providing leverage for threat actors in terms of ransom demands. Embargo's attacks are highly ordered, and carry at least two primary payloads:
- a loader built in Rust which decrypts and deploys the main ransomware binary
- an additional tool to deactivate security software.
The auxiliary tool claims privilege escalation using a legitimate, but vulnerable driver, to compromise and deactivate endpoint protection and antivirus processes. To further evade any detection, it can reconfigure devices settings to boot into Safe Mode, run persistent loops to continually terminate security-related services or applications and can also attempt to delete installed security tools. Embargo as a RaaS is an advanced threat that focuses on enterprise-level targets. It has advanced evasion capabilities, persistence, and an effective attack methodology which requires a pre-emptive, defense-in-depth security strategy beyond just the traditional signature-based virus detection.
The !MTB suffix indicates a behavioral machine learning-based detection. This means that Ransom:Win32/Embargo.DA!MTB exhibits behavior similar to the known Embargo ransomware but does not match exact known signatures.
- Confirm encryption patterns and ransom notes. Avoid modifying files to prevent data loss
- Disconnect from the internet and unplug external storage devices to prevent lateral movement
- Do not pay the ransom, there is no guarantee that paying will result in decryption, and it can encourage further attacks
- restore from offline or cloud backups if available.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
