{ "id": "84b2bb87-ea4c-4a33-bd9a-5794d6e23d3b", "created_at": "2026-04-06T00:18:34.271087Z", "updated_at": "2026-04-10T13:11:20.557755Z", "deleted_at": null, "sha1_hash": "399029c5e4a863d4ccc22aa1fc1d4504c800c3ff", "title": "The Rust Revolution: New Embargo Ransomware Steps In - Cyble", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2146490, "plain_text": "The Rust Revolution: New Embargo Ransomware Steps In - Cyble\r\nBy cybleinc\r\nPublished: 2024-05-24 · Archived: 2026-04-05 22:37:41 UTC\r\nCyble analyzes the Rust-based Embargo ransomware, investigating its operations and possible variants.\r\nKey Takeaways \r\nCyble Research \u0026 Intelligence Labs (CRIL) identified a sample of Embargo ransomware, developed in\r\nRust. \r\nThe Threat Actors behind this ransomware are using double extortion tactics. \r\nWe observed an instance where the ransomware group Initially demanded a $1 million ransom payment,\r\nthreatening data leak and notifications to various parties upon non-payment. \r\nThe leak site User Interfaces of Embargo and ALPHV ransomware resemble each other. Additionally, the\r\nleak site of ALPHV ransomware was taken down by law enforcement in March 2024.  \r\nThe log generation structure of both the ransomware looks similar. \r\nEmbargo, to date, has disclosed details of four victims globally. \r\nThis ransomware Utilizes ChaCha20 and Curve25519 for file encryption and appends “.564ba1” extension\r\nto encrypted files. \r\nOverview \r\nCRIL found a sample of Embargo ransomware, which is developed in Rust programming language. TAs behind this\r\nransomware are using double extortion to target its victims. In double extortion, the TAs exfiltrate sensitive\r\ninformation from the victim’s systems before encrypting the data.\r\nThey then threaten to publicly release or sell this stolen data if the ransom is not paid. This adds additional pressure\r\non the victim, as the potential data breach can lead to severe reputational damage, legal consequences, and loss of\r\ncustomer trust. The figure below shows the leak site of Embargo ransomware.  \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 1 of 14\n\nFigure 1 – Embargo Ransomware Leak Site \r\nDuring our investigation, we discovered that this ransomware group initially demanded a $1 million ransom, as\r\nindicated on their chat site. The Threat Actors (TAs) also claim on this site that if the victim fails to pay the ransom,\r\nthey will not only leak the data but also notify the victim’s clients, employees, partners, investors, stakeholders, and\r\ngovernment authorities about the attack. The figure below illustrates the ransom amount demanded by the group.  \r\nFigure 2 – Ransom Demand \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 2 of 14\n\nWe also observed similarities in the user interface of ALPHV (Blackcat) ransomware and the Embargo ransomware\r\nleak site. The leak site of ALPHV ransomware was taken down by law enforcement in March 2024. The figure\r\nbelow shows the comparison between the two leak sites.   \r\nFigure 3 – Comparison of ALPHV and Embargo Ransomware Leak Site \r\nUpon comparing the Rust binaries of both ransomware samples, we observed an overlap in the structure and syntax\r\nused for generating log files. Although the ALPHV ransomware binary has more capabilities, we suspect that\r\nEmbargo might be a rewritten version of ALPHV.  The Rust binary of ALPHV ransomware surfaced in 2022. The\r\nfigure below shows both ransomware binaries executed in verbose mode. \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 3 of 14\n\nFigure 4 – Comparison of Logs \r\nEmbargo ransomware, to date, has mentioned four victims globally. The figure below shows the distribution of\r\nEmbargo’s victims. \r\nFigure 5 – Geographic distribution of victims \r\nTechnical Analysis \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 4 of 14\n\nThe behavior of this ransomware can be controlled using command-line arguments. Upon execution, it calls\r\nGetCommandLineW() to check for the arguments as shown in the figure below.  \r\nFigure 6 – Checking CommandLine Arguments  \r\nIt then checks for the following arguments \r\nArgument  Alternate Argument  Description \r\n  -t          –threads \u003cTHREADS\u003e \r\nnumber of threads, leave default to\r\nautomatically assign  \r\n-p  –path \u003cPATH\u003e  path to directory \r\n–no-delete                  \r\n  disable self-delete \r\n–partial   \r\nenable searching for partially encrypted\r\nfiles and finish encrypting (if a previous\r\nrun failed) \r\n-l  –log                         enable output to log \r\n-v  –verbose                     enable verbose output \r\n-f  –follow-sym                  enable follow symlinks \r\n-m  –multi-run                  \r\nallow more than one instance run on the\r\nsame host \r\n–no-net   \r\ndo not search for network resources to\r\nencrypt \r\n-n \r\n–net-path\r\n\u003cNETWORK_PATHS\u003e   \r\nlist of servers to target \r\n-h  –help                        Print help \r\nThe presence of hardcoded commands on how to use this ransomware binary reveals insights into the TA’s\r\nmentality and tactics. These examples suggest the specific types of folders and directories the TAs typically target\r\nduring their attacks.  The TA has mentioned the following directories: \r\nR:\\backups\\ \r\n\\\\files01\\finance \r\n\\\\10.0.3.2\\D$\\Accounting \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 5 of 14\n\nFigure 7 – Command line Arguments \r\nAfter getting the command line arguments, the ransomware binary creates a mutex named\r\n“LoadUpOnGunsBringYourFriends” using the CreateMutexW() function. Unlike other ransomware variants, this\r\none uses a hardcoded mutex name instead of generating a string at runtime. The figure below illustrates the mutex\r\ncreated by the ransomware binary.  \r\nFigure 8 – CreateMutex() \r\nFollowing this, the ransomware proceeds to clear the recycle bin by invoking the SHEmptyRecycleBinW() function.\r\nTypically, this action is taken to hinder the victim’s ability to restore any deleted files after encryption. The figure\r\nbelow shows the ransomware clearing the recycle bin.  \r\nFigure 9 – Clears RecycleBin \r\nNext, it executes the following command to disable the Windows recovery: \r\nC:\\\\Windows\\\\System32\\\\cmd.exe /q /c bcdedit /set {default} recoveryenabled no \r\nThe ransomware then captures a snapshot of active running processes using CreateToolhelp32Snapshot() and\r\niterates over them with Process32First() and Process32Next(). It checks if any of the processes listed below are\r\nrunning and terminates them if a match is found.  \r\nagntsvc.exe  sql.exe  QBIDPService.exe \r\ndbeng50.exe  steam.exe  QBDBMgrN.exe \r\ndbsnmp.exe  synctime.exe  QBCFMonitorService.exe \r\nencsvc.exe  tbirdconfig.exe  SAP.exe \r\nexcel.exe  thebat.exe  TeamViewer_Service.exe \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 6 of 14\n\nfirefox.exe  thunderbird.exe  TeamViewer.exe \r\ninfopath.exe  visio.exe  tv_w32.exe \r\nisqlplussvc.exe  winword.exe  tv_x64.exe \r\nmsaccess.exe  wordpad.exe  cvd.exe \r\nmspub.exe  xfssvccon.exe  cvfwd.exe \r\nmydesktopqos.exe  *sql*.exe  cvods.exe \r\nmydesktopservice.exe  bedbh.exe  saphostexec.exe \r\nnotepad.exe  vxmon.exe  saposcol.exe \r\nocautoupds.exep  benetns.exe  sapstartsrv.exe \r\nocomm.exe  bengien.exe  avscc.exe \r\nocssd.exe  pvlsvr.exe  DellSystemDetect.exes \r\nonenote.exe  beserver.exe  EnterpriseClient.exe \r\noracle.exe  raw_agent_svc.exe  veeam*.exe \r\noutlook.exe  vsnapvss.exe  VeeamNFSSvc.exe \r\npowerpoint.exe  CagService.exe  VeeamTransportSvc.exe \r\nsqbcoreservice.exe  vsnapvss.exe  VeeamDeploymentSvc.exe \r\nThe figure below illustrates the ransomware iterating through the active processes.  \r\nFigure 10 – Terminating Process \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 7 of 14\n\nAfter this, the ransomware retrieves the active services running on the victim’s system. It first calls the\r\nOpenSCManagerW() function to obtain a handle to the service control manager database. Then, it calls\r\nEnumServicesStatusExW() to enumerate the services in the service control manager database. This call retrieves the\r\nstatus of services, including their names and current states. The ransomware then checks if any of the running\r\nservices match the following services: \r\nGxCIMgr$  MSExchange\\$.*$ \r\nMVArmor$  AcronisAgent$ \r\nVSNAPVSS$  VeeamTransportSvc$ \r\nVeeamNFSSvc$  BackupExecVSSProvider$ \r\nQBCFMonitorService$  BackupExecManagementService \r\nGxVssHWProv$  SAPD\\$$xecManagementSe \r\nQBDBMgrN$  QBIDPService$ \r\nBackupExecRPCService$  AcrSch2Svc$ \r\nVeeamTransportSvc$  SAPService$ \r\nMVarmor64$  SAPHostControl$ \r\nSAPHostControl$  BackupExecJobEngine$ce \r\nSAPHostExec$  BackupExecRPCService$ \r\nQBCFMonitorService$  GxClMgrS$ \r\nIf a match is found, it closes the service by calling the CloseServiceHandle() function. The figure below illustrates\r\nthe ransomware iterating through services.  \r\nFigure 11 – Terminating Services \r\nThe ransomware now starts iterating through device volumes using the FindFirstVolumeW() and\r\nFindNextVolumeW() functions. It then calls the GetVolumePathNamesForVolumeNameW() function to retrieve a list\r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 8 of 14\n\nof drive letters and mounted folder paths for each specified volume. \r\nFigure 12 – Fetching Drives \r\nAfter this, it uses the WNetEnumResourceW() function to enumerate the network resources. It then starts\r\nenumerating the files in the drives for encryption using GetDriveTypeW() and, FindFirstFileW() and\r\nFindNextFileW() functions, as shown in the figure below.  \r\nFigure 13 – Enumerating Drives \r\nThe ransomware does not encrypt files present in the following directories on an infected system. The ransomware\r\nbinary contains regular expressions for these directory names. \r\nProgramData/Microsoft/DeviceSync[^/]*$  ProgramData/USOShared[^/]*$ \r\nProgramData/Microsoft/Diagnosis[^/]*$  Program Files/WindowsApps[^/]*$ \r\nProgramData/ssh/[^/]*$  ProgramData/Microsoft/UEV[^/]*$ \r\nProgram Files/Windows Portable\r\nDevices[^/]*$ \r\nProgramData/Microsoft/Device Stage[^/]*$ \r\nProgram Files/Uninstall Information[^/]*$  ProgramData/Packages/USOShared[^/]*$ \r\nProgramData/regid\\.\r\n[^/]*\\.com\\.microsoft$vic \r\nProgramData/Microsoft/Event Viewer[^/]*$ \r\nProgramData/USOPrivate[^/]*$  ProgramData/Microsoft/Provisioning[^/]*$ \r\nProgram Files/Windows Defender[^/]*$  ProgramData/Microsoft/IdentityCRL$ \r\nProgram Files/Windows Media Player[^/]*$  ProgramData/Microsoft/NetFramework[^/]*$ \r\nProgram Files/Windows Security[^/]*$  ProgramData/Microsoft/Spectrum[^/]*$ \r\nProgram Files/Windows Photo\r\nViewer[^/]*$ \r\nProgramData/Microsoft/Windows\r\nDefender[^/]*$ \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 9 of 14\n\nProgram\r\nFiles/ModifiableWindowsApps[^/]*$ \r\nProgramData/Microsoft/MapData[^/]*$ \r\nProgram Files/Internet Explorer[^/]*$  ProgramData/Microsoft/WDF[^/]*$ \r\nProgram Files/Windows NT[^/]*$  ProgramData/Microsoft/Storage Health[^/]*$ \r\nProgram Files/Windows Sidebar[^/]*$  ProgramData/Microsoft/Windows[^/]*$ \r\nProgram Files/WindowsPowerShell[^/]*$  ProgramData/Microsoft/Search[^/]*$ \r\nProgram Files \\(x86\\)/Microsoft\\.NET[^/]*$  ProgramData/Microsoft/Vault[^/]*$ \r\nProgram Files \\(x86\\)/Windows\r\nDefender[^/]*$ \r\nProgramData/Microsoft/SmsRouter[^/]*$ \r\nProgram Files/Invisible Things Lab/[^/]*$  ProgramData/Microsoft/Speech_OneCore[^/]*$ \r\nProgram Files \\\r\n(x86\\)/Microsoft/Temp[^/]*$ \r\nProgramData/Microsoft/Windows NT[^/]*$ \r\nProgram Files \\(x86\\)/Windows NT[^/]*$  ProgramData/Microsoft/MF[^/]*$ \r\nProgram Files \\(x86\\)/Windows\r\nSecurity[^/]*$s \r\nProgramData/Microsoft/Network[^/]*$ \r\nProgram Files \\(x86\\)/Windows Mail[^/]*$  ProgramData/Microsoft/WinMSIPC[^/]*$ \r\nProgram Files \\(x86\\)/Windows\r\nSidebar[^/]*$am \r\nProgramData/Microsoft/WPD[^/]*$ \r\nProgram Files \\(x86\\)/Common Files[^/]*$  ProgramData/Microsoft/EdgeUpdate[^/]*$ \r\nProgram Files/Common Files/System[^/]*$  ProgramData/Packages/USOPrivate[^/]*$ \r\nProgram Files/Windows Mail[^/]*$o  ProgramData/Microsoft/DRM[^/]*$ \r\nProgramData/ntuser\\.pol$X  ProgramData/USOShared[^/]*$ \r\nAlso, this ransomware does not encrypt files with the following extensions. The list includes the “.564ba1”\r\nextension, which is appended to files after encryption. This ensures that the ransomware will not encrypt the same\r\nfile twice.  \r\n.cpl  .sys  .drv \r\nd3d9caps.dat  */NTUSER.DAT  .lnk \r\nthumbs.db  .msi  *.search-ms \r\n.ico  .dll  desktop.ini \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 10 of 14\n\n.bat  .lock  .deskthemepack \r\niconcache.db  .msc  .theme \r\nntldr  .themeckpack  autorun.inf \r\nd3d9caps.dat  .lock  boot.ini \r\n.spl  .exe  .msstyles \r\n.cab  .msu  .themepack \r\n.564ba1     \r\nThis ransomware uses ChaCha20 and Curve25519 to encrypt files, as shown in the figure below. ChaCha20 and\r\nCurve25519 are often used together in file encryption to provide secure key exchange and encryption. Curve25519\r\nestablishes a shared secret key, which is then used by ChaCha20 to encrypt and decrypt the file contents. \r\nFigure 14 – Cryptographic Algorithms \r\nNext, the ransomware drops a ransom note named “HOW_TO_RECOVER_FILES.txt” in every directory it iterates\r\nthrough. This note appears to be created specific to a victim, as date and time values are hardcoded rather than\r\ndynamically loading the current date and time.  \r\nFigure 15 – Ransom Note \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 11 of 14\n\nAll the encrypted files consist of “.564ba1” as a file extension, as shown in the figure below. \r\nFigure 16 – Encrypted Files \r\nLINUX and ESXI Variants \r\nAdditional files obtained from their onion site are suspected to be Linux and ESXi variants of the Embargo\r\nransomware, but their true origin is uncertain. We suspect these to be test files as they lack configuration data and\r\nare not able to encrypt the files. These alleged variants of Embargo ransomware are 64-bit executables. Although\r\nthey use the same encryption algorithm across all variants, the Linux binary offers fewer options than the Windows\r\nbinary. By default, these variants utilize 4 threads, whereas the Windows variant employs 8 threads for execution.\r\nThe figure below depicts the command-line arguments available in Linux variants. \r\nFigure 17 – Embargo Linux executable \r\nFigure 18 – Embargo ESXi executable \r\nConclusion \r\nEmbargo ransomware exemplifies the growing trend of using programming languages like Rust to create\r\nsophisticated, cross-platform ransomware. The choice of Rust provides the attackers with advantages such as cross-platform compatibility, speed, and memory safety, making the ransomware more robust and difficult to analyze or\r\nreverse-engineer. The double extortion technique used by ransomware not only pressurizes victims to pay quickly\r\nto avoid data breaches but also exposes them to potential legal and reputational damage. The TA’s threat to notify\r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 12 of 14\n\nclients, employees, partners, investors, stakeholders, and government authorities further amplifies the urgency and\r\nseverity of the situation. \r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below: \r\nSafety Measures to Prevent Ransomware Attacks \r\nDo not open untrusted links and email attachments without first verifying their authenticity. \r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic   Technique  Procedure \r\nExecution  T1204.002 (User Execution)  Malicious file. \r\nDefense\r\nEvasion \r\nT1070.004 (Indicator Removal:\r\nFile Deletion) \r\nRansomware deletes itself after\r\nexecution.  \r\nDefense\r\nEvasion \r\nT1140 (Deobfuscate/Decode Files\r\nor Information) \r\nContains encrypted strings.  \r\nDiscovery \r\nT1083 (File and Directory\r\nDiscovery) \r\nRansomware enumerates folders for file\r\nencryption and file deletion. \r\nDiscovery  T1135 (Network Share Discovery)  Target Network Shares \r\nImpact \r\nT1486 (Data Encrypted for\r\nImpact) \r\nRansomware encrypts the data for\r\nextortion. \r\nImpact  T1490 (Inhibit System Recovery)  Disable automatic Windows recovery \r\nIndicators of Compromise (IOCs) \r\n Indicators \r\nIndicator\r\nType \r\nDescription \r\n98cc01dcd4c36c47fc13e4853777ca170c734613564a5a764e4d2541a6924d39  SHA256 \r\nEmbargo\r\nRansomware\r\n(Windows) \r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 13 of 14\n\n7bfb789f5825f17a01cccd2fbd62635ce20f6ed7e488fded20549a806371aeb6  SHA256 \r\nEmbargo\r\nRansomware\r\n(ESXi) \r\ne6b6503217b0cf50e262a6a843624068f8f6a96441d241695893e6cab3c60a2c  SHA256 \r\nEmbargo\r\nRanosmware\r\n(Linux) \r\nYara Rule \r\nrule Embargo{\r\nmeta:\r\n author = \"Cyble Research and Intelligence Labs\"\r\n description = \"Detects Embargo Ransomware\"\r\n date = \"2024-05-24\"\r\n os = \"Windows\"\r\nstrings:\r\n $a1 = \"LoadUpOnGunsBringYourFriends\" fullword ascii wide\r\n $a2 = \"embargo\" nocase ascii wide\r\n $a3 = \"files01\" nocase ascii wide\r\ncondition:\r\n all of them\r\n}\r\nSource: https://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nhttps://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/" ], "report_names": [ "the-rust-revolution-new-embargo-ransomware-steps-in" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434714, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/399029c5e4a863d4ccc22aa1fc1d4504c800c3ff.pdf", "text": "https://archive.orkl.eu/399029c5e4a863d4ccc22aa1fc1d4504c800c3ff.txt", "img": "https://archive.orkl.eu/399029c5e4a863d4ccc22aa1fc1d4504c800c3ff.jpg" } }