{"description": "Enterprise techniques used by Embargo, ATT&CK software S1247 (v1.0)", "name": "Embargo (S1247)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has modified the Windows Registry to start a custom service named irnagentd in Safe Mode.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has utilized a BAT script to disable security solutions.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has created persistence through the DLL variant of the MDeployer toolkit by creating a service called irnagentd that launches after the system is rebooted in Safe Mode.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has the ability to encrypt files with the ChaCha20 and Curve25519 cryptographic algorithms.(Citation: Cyble Embargo Ransomware May 2024) [Embargo](https://attack.mitre.org/software/S1247) also has the ability to encrypt system data and add a random six-letter extension consisting of hexadecimal characters such as \".b58eeb\" or \u201c.3d828a\u201d to encrypted files.(Citation: ESET Embargo Ransomware October 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has utilized MDeployer to decrypt two payloads that contain MS4Killer toolkit b.cache and the [Embargo](https://attack.mitre.org/software/S1247) ransomware executable a.cache with a hardcoded RC4 key `wlQYLoPCil3niI7x8CvR9EtNtL/aeaHrZ23LP3fAsJogVTIzdnZ5Pi09ZVeHFkiB`.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has utilized a hardcoded mutex name of \u201cLoadUpOnGunsBringYourFriends\u201d using the `CreateMutexW()` function.(Citation: Cyble Embargo Ransomware May 2024) [Embargo](https://attack.mitre.org/software/S1247) has also utilized a hardcoded mutex name of \u201cIntoTheFloodAgainSameOldTrip.\"(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1068", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has leveraged MS4Killer to deliver a vulnerable driver to the victim device, sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET Embargo Ransomware October 2024) [Embargo](https://attack.mitre.org/software/S1247) has utilized the vulnerable driver probmon.sys version 3.0.0.4 which had a revoked certificated from \u201cITM System Co.,LTD.\u201d(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has searched for folders, subfolders and other networked or mounted drives for follow on encryption actions.(Citation: Cyble Embargo Ransomware May 2024) [Embargo](https://attack.mitre.org/software/S1247) has also iterated device volumes using `FindFirstVolumeW()` and `FindNextVolumeW()` functions and then calls the `GetVolumePathNamesForVolumeNameW()` function to retrieve a list of drive letters and mounted folder paths for each specified volume.(Citation: Cyble Embargo Ransomware May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has been leveraged in double-extortion ransomware, exfiltrating files then encrypting them, to prompt victims to pay a ransom.(Citation: Cyble Embargo Ransomware May 2024)(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has leveraged MDeployer to terminate the MS4Killer process, delete the decrypted payload files and a driver file dropped by MS4killer, and reboot the system.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has cleared files from the recycle bin by invoking `SHEmptyRecycleBinW()` and disabled Windows recovery through `C:\\Windows\\System32\\cmd.exe /q /c bcdedit /set {default} recoveryenabled no`.(Citation: Cyble Embargo Ransomware May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has modified and deleted Registry keys to add services, and to disable Security Solutions such as Windows Defender.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has leveraged Windows Native API functions to execute its operations.(Citation: Cyble Embargo Ransomware May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has searched for folders, subfolders and other networked or mounted drives for follow-on encryption actions.(Citation: Cyble Embargo Ransomware May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has encrypted both MDeployer and MS4 Killer payloads with RC4.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has utilized MS4Killer to detect running processes on the victim device.(Citation: ESET Embargo Ransomware October 2024) [Embargo](https://attack.mitre.org/software/S1247) has also captured a snapshot of active running processes using the Windows API `CreateToolHelp32Snapshot()`.(Citation: Cyble Embargo Ransomware May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1688", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has used a DLL variant of MDeployer to disable security solutions through Safe Mode.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has obtained persistence of the loader MDeployer by creating a scheduled task named \u201cPerf_sys.\u201d(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1679", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has avoided encrypting specific files and directories by leveraging a regular expression within the ransomware binary.(Citation: Cyble Embargo Ransomware May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has terminated active processes and services based on a hardcoded list using the `CloseServiceHandle()` function.(Citation: Cyble Embargo Ransomware May 2024) [Embargo](https://attack.mitre.org/software/S1247) has also leveraged MS4Killer to terminate processes contained in an embedded list of security software process names that were XOR-encrypted.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has obtained active services running on the victim\u2019s system through the functions `OpenSCManagerW()` and `EnumServicesStatusExW()`.(Citation: Cyble Embargo Ransomware May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Embargo](https://attack.mitre.org/software/S1247) has created a service named irnagentd that executed the MDeployer loader after the system is rebooted in Safe Mode.(Citation: ESET Embargo Ransomware October 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Embargo", "color": "#66b1ff"}]}