Embargo is a Ransomware-as-a-Service (RaaS) operation first observed in May 2024. It employs a double-extortion model, encrypting victim data while exfiltrating sensitive files for publication on a Tor-based leak site. Embargo uses a Rust-based payload that leverages AES-256 and RSA-4096 encryption, deletes volume shadow copies, and disables recovery features to prevent restoration. Its targeting appears opportunistic but has included sectors such as finance, manufacturing, and professional services across North America, Europe, and Asia. The ransomware’s customization options, negotiation portal, and leak infrastructure suggest a closed affiliate model with a focus on operational security.
Genera un perfil del actor con IA (defensivo) cuando lo pidas.
Este grupo no tiene TTPs curadas. Puedes generar un mapeo MITRE ESTIMADO por IA (no confirmado) a partir de su descripción/notas, solo cuando lo pidas.
Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.
/*
Embargo ransomware (Rust-based)
*/
rule Embargo_Ransomnote
{
meta:
author = "ransomware.live"
family = "ransomware.embargo"
description = "Detects Embargo ransomware ransom note"
date = "2026-05-04"
severity = 7
score = 70
strings:
$s1 = "Embargo" ascii nocase
$s2 = "EMBARGO" ascii
$s3 = "embargo.onion" ascii nocase
$s4 = "HOW-TO-RECOVER.txt" ascii nocase
condition:
any of them
}
Your network has been chosen for Security Audit by EMBARGO Team. We successfully infiltrated your network, downloaded all important and sensitive documents, files, databases, and encrypted your systems. You must contact us before the deadline 2024-05-21 06:25:37 +0000 UTC, to decrypt your systems and prevent your sensitive information from disclosure on our blog: [redactado] Do not modify any files or file extensions. Your data maybe lost forever. Instructions: 1. Download torbrowser: [redactado] 2. Go to your registration link: ================================= [redactado] ================================= 3. Register an account then login If you have problems with this instructions, you can contact us on [redactado] [redactado] After payment for our services, you will receive: - decrypt app for all systems - proof that we delete your data from our systems - full detail pentest report - 48 hours support from our professional team to help you recover systems and develop Disaster Recovery plan IMPORTANT: After 2024-05-21 06:25:37 +0000 UTC deadline, your registration link will be disabled and no new registrations will be allowed. If no account has been registered, your keys will be deleted, and your data will be automatically publish to our blog and/or sold to data brokers. WARNING: Speak for yourself. Our team has many years experience, and we will not waste time with professional negotiators. If we suspect you to speaking by professional negotiators, your keys will be immediate deleted and data will be published/sold.
Auburn Electrical Construction Company, Inc. is an innovative contracting firm that profitably provides electrical-related services to our customers. Our goal i... -
One of Brazil's largest suppliers of technological systems, maintenance, manufacturing, assembly and services for industries in various segments, which has been successfully partnering with clients in Latin America since 1996. Specialized in offering complete solutions or solutions tailored to your exact needs. Located in Curitiba/PR, Brazil, Tequaly has approximately 100,000 m² of manufacturing area and 5,000 m² of administrative and support area. - -Contracts -Financial data -Engineering data <purification system> <evaporation system> <methanol burning up> ....
| Organización | País | Sector | Grupo | Descubierta |
|---|---|---|---|---|
| Auburn Electrical Construction Company | US | Construction | — | 9 jun 2026 |
| tequaly.com | BR | Technology | — | 25 feb 2025 |
Las direcciones de los sitios de filtración (.onion) se conocen pero no se publican ni se enlazan. Solo se muestran metadatos públicos. ética