MOXFIVE Threat Actor Spotlight - Embargo Ransomware

Every month, we take a look at a current ransomware threat actor. If you would like to receive this via email each month, click below to subscribe to the MOXFIVE mailing list.

Subscribe

Embargo Ransomware

This month MOXFIVE responded to a new threat actor, Embargo Ransomware, targeting healthcare and manufacturing/supply chain organizations. While this group may be early in their eCrime lifecycle, we are proactively providing insights on targeted industries, CVEs, and recovery actions taken within the first 24 hours.

Please see the following for insights on Embargo. If interested, we’re glad to host a 1:1 session with your team to discuss the current ransomware landscape and provide guidance on best DFIR/recovery practices when responding to suspected cyber events.

April 2024 Targeted Industries: Healthcare, Manufacturing/Supply Chain

Ransomware Payment Demands: Started at $2 million in BTC and eventually negotiated down to $500k in BTC, a 75% reduction.

Notable Leveraged Exploits:

Embargo Ransomware is observed to have successfully disabled SentinelOne EDR agents via a malicious driver deployed through group policy objects (GPO) before leveraging a secondary GPO for the ransomware binary deployment/encryption.

Data Exfiltration: Data exfiltration technique and deployment using MEGA synch.

MOXFIVE Recovery Actions Taken within First 24 Hours:

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.