Business, Cyber Security, Insights, Ransomware

Inside Embargo: the ransomware operation built to blind your defences before encryption

8th May 2026
Soc team monitoring dashboard

Embargo has emerged as one of the more operationally dangerous ransomware groups currently active, not because of unusually sophisticated encryption, but because of how effectively it suppresses endpoint visibility before encryption even begins.

Recent intrusion analysis shows Embargo operators using Safe Mode boot manipulation, vulnerable driver abuse, and tailored EDR-killing tooling to disable security controls during the final stages of an attack. Once that process begins, defenders are often operating blind at the exact moment the intrusion becomes most destructive.

Unlike many ransomware operations that rely purely on speed or volume, Embargo appears focused on systematically degrading defensive capability before deploying its encryptor. The result is a ransomware workflow built around visibility loss, delayed response, and accelerated operational impact.

The group first surfaced publicly during 2024 and has since been linked to attacks across healthcare, technology, manufacturing, and business services sectors. While the United States remains the most heavily impacted region in current reporting, UK organisations have also appeared on Embargo-linked leak infrastructure.

If you’re reading this because you think you have experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

Initial access and intrusion entry

Embargo intrusions do not appear to rely on a single consistent entry vector. Instead, observed activity aligns closely with broader ransomware affiliate tradecraft, including exploitation of internet-facing systems, credential theft, and access broker activity.

Recent investigations have linked Embargo deployment activity to compromised edge infrastructure and known remote code execution vulnerabilities affecting technologies including:

  • Citrix NetScaler
  • Zoho ManageEngine
  • Adobe ColdFusion
  • Internet-facing remote access platforms

Credential theft activity also appears regularly throughout the intrusion chain. In several campaigns linked to wider ransomware affiliate ecosystems, attackers were observed leveraging stolen credentials and hybrid identity weaknesses to move between on-premise and cloud environments before ransomware deployment occurred.

By the time Embargo payloads are deployed, attackers often already hold privileged access inside the environment.

Payload staging and execution

One of the more distinctive characteristics of Embargo intrusions is the structured staging process observed prior to encryption.

Analysed deployments show Embargo using a Rust-based loader referred to as MDeployer, responsible for decrypting payloads stored within encrypted cache files including:

  • a.cache
  • b.cache

Once decrypted, payloads are written to disk under varying filenames including:

  • pay.exe
  • praxisbackup.exe

Observed execution chains consistently prioritise security-tool suppression before encryption begins.

The EDR-killing component is launched first, followed by the ransomware payload itself. This sequencing reduces the likelihood of security tooling detecting or interrupting encryption activity once execution begins.

Safe mode abuse and defence suppression

One of Embargo’s more operationally dangerous behaviours is its deliberate use of Windows Safe Mode to impair endpoint visibility and bypass defensive controls.

Rather than attempting to brute-force EDR protections directly in a monitored environment, Embargo operators have been observed modifying boot configuration settings using native Windows utilities including:

  • bcdedit
  • sc.exe
  • reg.exe

The objective is simple. Reboot the compromised system into Safe Mode with networking enabled while maintaining persistence.

During observed intrusions, persistence services including irnagentd were created to ensure the ransomware workflow continued after reboot. Once inside Safe Mode, Embargo tooling moved to disable or interfere with security tooling before encryption activity proceeded.

In several analysed cases, security software directories were renamed directly in order to prevent products loading correctly after reboot.

Once Safe Mode execution begins and defensive telemetry is degraded, incident responders are often left with significantly reduced visibility during the most destructive stage of the intrusion.

BYOVD and kernel-level EDR killing

Embargo’s most notable tradecraft currently centres around Bring Your Own Vulnerable Driver techniques.

Observed attacks show Embargo operators deploying the vulnerable probmon.sys driver, version 3.0.0.4, using renamed variants including:

  • Sysprox.sys
  • Sysmon64.sys

The driver itself was signed using a revoked certificate associated with ITM System Co., LTD.

Once loaded as a service, the driver enables kernel-level process termination capabilities which Embargo tooling uses to interfere with or terminate endpoint protection products.

Observed service names linked to this activity include:

  • Sysprox
  • Proxmon
  • Sysmon64

Many organisations treat “EDR installed” as equivalent to “EDR effective”. BYOVD tradecraft exposes the gap between those assumptions.

If vulnerable drivers are not actively blocked and tamper protections are incomplete, ransomware operators can degrade or disable defensive tooling before encryption begins.

Rapid tooling iteration

Another recurring characteristic of Embargo activity is rapid tooling iteration.

Recent intrusion analysis identified multiple slightly different builds of Embargo tooling across separate incidents, including evidence of payloads being compiled shortly before deployment.

Rather than deploying a single consistent toolset, Embargo operators appear to modify payloads and process-killing logic between intrusions, in some cases tuning the tooling specifically around the security products present within the victim environment.

Observed process-killing behaviour suggests the operation is not attempting to indiscriminately terminate every running process. Instead, activity appears focused on the specific defensive tooling protecting that organisation.

Why Embargo represents a growing threat

Embargo’s operational danger comes from how efficiently the group reduces defender visibility before the impact phase begins.

Across modern ransomware incidents, the highest-value detection window exists before encryption, while attackers are still escalating privileges, staging tooling, and establishing persistence.

Embargo’s workflow is deliberately built to collapse that window.

Safe Mode execution, vulnerable driver abuse, process termination loops, and security-tool impairment all contribute towards the same outcome. Defenders lose visibility immediately before the environment enters full ransomware execution.

Once encryption starts under degraded telemetry conditions, response options narrow rapidly into business continuity, containment, and crisis management.

Links to the wider ransomware ecosystem

Several overlaps between Embargo and post-ALPHV ransomware activity have led researchers to assess potential ecosystem continuity between the groups.

These overlaps include:

  • Rust-based tooling
  • Leak-site similarities
  • Shared operational patterns
  • Affiliate-style deployment activity

While definitive attribution remains difficult, Embargo’s operational structure appears consistent with the fragmented ransomware affiliate ecosystem that emerged following disruption activity against BlackCat and LockBit infrastructure.

Current reporting also suggests Embargo maintains a relatively controlled operational model, with centralised negotiation infrastructure and affiliate-driven intrusion activity.

Defensive lessons organisations should prioritise

Embargo’s tradecraft reinforces several defensive lessons repeatedly seen across modern ransomware incidents.

Harden identity and remote access pathways

Attackers continue to exploit weak MFA coverage, exposed remote services, over-privileged accounts, and hybrid identity gaps to establish broad administrative access.

Treat vulnerable driver abuse as a primary threat

Security teams should actively monitor for suspicious driver loading activity, unsigned or revoked drivers, and unusual kernel service creation events. Drivers including probmon.sys should be treated as hostile within enterprise environments.

Monitor aggressively for safe mode manipulation

Embargo’s Safe Mode workflow creates several high-value detection opportunities, including:

  • bcdedit safeboot modification
  • SafeBoot registry changes
  • Unexpected Safe Mode reboots
  • Creation of persistence services such as irnagentd
  • Unusual driver service installation

These behaviours remain uncommon during legitimate enterprise activity and should generate immediate investigation.

Prepare for degraded visibility scenarios

Incident response plans should assume EDR degradation and Safe Mode execution are possible during ransomware deployment.

Without preparation for degraded-visibility scenarios, response coordination becomes significantly more difficult once ransomware execution begins.

Final thoughts

Embargo reflects a broader evolution taking place across the ransomware landscape. Modern ransomware groups are increasingly prioritising defence suppression, visibility degradation, and disruption of incident response workflows before encryption ever starts.

Embargo’s combination of Rust-based tooling, Safe Mode abuse, and vulnerable-driver-enabled EDR killing already places it among the more operationally concerning ransomware threats currently active. For defenders, the critical detection window exists before encryption.

  • Detect the Safe Mode pivot.
  • Detect the vulnerable driver load.
  • Detect the persistence service.

Because once endpoint visibility disappears, the incident is no longer purely a security event. It becomes a business continuity crisis.