Defense Evasion
- s4killer (Minifilter Driver)
Embargo is a Rust-based ransomware family and ransomware-as-a-service operation, also tracked as Storm-0501, first observed in April 2024 and publicly described as active through at least March 2026.
Profile source: Mallory opens in a new tabEmbargo
Embargo is a Rust-based ransomware family and ransomware-as-a-service operation, also tracked as Storm-0501, first observed in April 2024 and publicly described as active through at least March 2026. It is used in double-extortion attacks in which data is exfiltrated before file encryption. Reporting in the provided content describes Embargo as an open-affiliate RaaS operation and notes assessments by multiple researchers that it is a probable successor or rebrand of BlackCat/ALPHV. Storm-0501 is identified as a primary affiliate associated with deploying Embargo, though that actor has also used other ransomware families.
Embargo’s toolchain includes the MDeployer loader and the MS4Killer EDR-killer toolkit. MDeployer has been used to decrypt payloads including the ransomware executable and MS4Killer using a hardcoded RC4 key. For persistence, Embargo has created a Windows service named irnagentd via a DLL variant of MDeployer, configured to launch after reboot in Safe Mode, and has also created a scheduled task named Perf_sys. The malware has modified and deleted Registry keys to add services and disable security solutions, including Windows Defender, and has used BAT scripts to weaken defenses.
A notable defense-evasion capability is its Bring Your Own Vulnerable Driver technique. Embargo has leveraged MS4Killer to deploy probmon.sys version 3.0.0.4, a vulnerable driver signed with a revoked certificate from ITM System Co., LTD., to terminate security products and other targeted processes and services. The content specifically notes termination activity against products including SentinelOne, Cylance, ESET, Defender, Bitdefender, Kaspersky, and Webroot. Embargo also performs service and process discovery using APIs including OpenSCManagerW(), EnumServicesStatusExW(), and CreateToolHelp32Snapshot(), and enumerates device volumes with FindFirstVolumeW(), FindNextVolumeW(), and GetVolumePathNamesForVolumeNameW().
For impact, Embargo encrypts files using ChaCha20 and Curve25519/X25519 and appends random 6-character hexadecimal extensions such as .b58eeb or .3d828a. It searches folders, subfolders, mounted drives, and networked drives to identify encryption targets, and avoids encrypting certain files and directories using a regular expression embedded in the binary. It inhibits recovery by emptying the Recycle Bin with SHEmptyRecycleBinW() and disabling Windows recovery with bcdedit /set {default} recoveryenabled no. The operation is also described as exfiltrating data with Rclone to MEGA or MegaSync before encryption, using a Tor-based leak site and ransom communications via a Tor registration portal and TOX, and dropping a ransom note named HOW_TO_RECOVER_FILES.txt.
Additional identifiers mentioned in the content include hardcoded mutex names IntoTheFloodAgainSameOldTrip and LoadUpOnGunsBringYourFriends. Victimology in the provided reporting indicates concentration in the United States, with technology and healthcare specifically noted among affected sectors. The content also states that TRM Labs traced approximately $34.2 million in cryptocurrency payments to the Embargo operation through mid-2025.
Ransomware.live
Ransomware.live
Reported operators
Embargo has obtained persistence of the loader MDeployer by creating a scheduled task named "Perf_sys."
Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin.
Exploited software
MITRE ATT&CK
Reporting
hastalamuerte also carries prior experience with LockBit, Embargo, and Medusa, but the documented split is from Qilin.
As for LARVA-368, the threat actor is assessed to have been a member of the Embargo (aka Primeval Mantis) ransomware group before launching their own operation under the name ArmCorp.
Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin.
Embargo Ransomware (Storm-0501) Type: Ransomware-as-a-Service (RaaS) - Open Affiliate Model
Storm-0501 has deployed multiple ransomware families including Hive, BlackCat/ALPHV, Hunters International, LockBit, and most recently Embargo ransomware.
“Minimal-activity Groups… such as Embargo… each registered one incident.”
... Embargo ... (v1.0) ...
Embargo (v1.0)
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.