Embargo Ransomware Group: The Interview

Embargo Ransomware Group: The Interview 1

Embargo is yet another ransomware group emerging in the digital extortion landscape, a group that some industry analysts compare to the much more well-known Alphv group. However, programming similarities do not align with the statements made by a group member during our interview.

The program used by Embargo to target its victims is written in the Rust language, undoubtedly a powerful and secure programming language with a faster learning curve compared to other languages. However, it also has some drawbacks, such as a limited library and third-party tools, which restrict the available options for programmers and necessitate writing more custom code.

Currently, Embargoโ€™s blog on the Tor network lists only four victim names. However, as confirmed by the group member, this small number refers only to the names of victims who have decided not to pay the ransom.

Embargo Ransomware Group: The Interview 2

Screenshot and redaction by SuspectFile.com

The following interview was conducted through the Tox chat of the ransomware group. After sending a series of 13 questions, Embargo provided us with their answers.

SuspectFile:ย You are the latest new name to emerge in the ransomware group landscape, but some claim that yours is just a “rebranding” of old groups that disappeared for various reasons. Specifically, you are associated with Alphv due to code similarities. What do you say to those who claim this?

Embargo: We are not Alphv and have no association with them. Some lazy researchers look at some common rust crates (clap, logger) and think they look similar, because yes maybe we use same crates, but our code is not similar at all. Only we use the same crates for common tasks, which 90% of all rust projects using. We are not a rebrand. Our code is written 100% without outside sources.

SuspectFile: Your program is written in Rust, a programming language used in the past by several groups. Why this choice? What do you think it offers over other programming languages?

Embargo: Rust is elegant and safe.

SuspectFile: Regarding the origins of most ransomware groups, yours is also categorized within the “CSI area.” However, on your blog, you state that you are a team composed of people of various nationalities and that you do not pursue political ends. This is a claim made by almost all old and new groups. Does the rule still apply to your affiliates that they are prohibited from attacking targets located in the CSI area?

Embargo: We do not work on CIS (SNG) out of respect for our partners.

SuspectFile: We mentioned earlier that yours is the latest new group, appearing at the beginning of April this year. On your blog, only 4 victims are listed, but we believe that this number is not accurate and that at least another 15 should be added to that number. Is it therefore correct to say that since the start of your “activity,” the number of victims you have attacked is 19 and not 4?

Embargo: Those who pay are not written to the blog.

SuspectFile: On your blog, we have not read any statements regarding restrictions for your affiliates on the types of entities not to target. Should we understand from this that Embargo makes no exceptions and that even hospital or educational entities, public or private, can be considered targets for your affiliates?

Embargo: We don’t allow encryption on critical infrastructure. We are not terrorists.

SuspectFile: We have read in your ransom notes a different way of communicating with your victims. You indicate precise steps that are surely more secure for you: a deadline by which the victim must contact you and, above all, a username and password that the victims will use to log into your chat. Do you think these measures are sufficient to prevent negotiations from being read by others? Don’t you think this could backfire, for example, if another person enters the chat before the victim, making communication impossible with the targeted entity?

Embargo: Your information here is wrong. Note does not provide username and password. Clients must register an account before the deadline, after which registration will close. It is possible for multiple accounts from the same organization to be registered before the deadline. Each account can only read its own dialogue with us.

SuspectFile: In your case, are the negotiation chats managed by the affiliates who carried out the cyberattack, or is Embargo as a group directly involved in managing them? Who decides the ransom price, the group or the affiliate, and what percentage of the ransom is recognized to the affiliate?

Embargo: All parties agree to percentage prior to work so that there will not have conflicts. Affiliates keep 80% if they bring their own networks and lock. If they bring networks, but we lock, then they keep 20%.

SuspectFile: It is not the first time a group has chosen, at some point, to disappear, keeping for themselves not only the ransoms from victims but also the unpaid percentages to their affiliates. What guarantees do your affiliates have that you are not, for example, another group like Conti or, to stay current, another like Alphv, known for not honoring agreements made with their affiliates?

Embargo: We don’t rip our partners or our clients.

SuspectFile: In the recent past, some well-known ransomware groups have disbanded for various reasons, including total disagreement with certain “guidelines” imposed by the group’s leadership. Did Embargo Ransomware arise from the disbandment of other groups, or did you, like many others, as affiliates, decide that it was time to work for yourselves?

Embargo: We worked for other groups before. We disliked the lack of transparency, and we believe they scammed us on some networks. Now we don’t work for them.

SuspectFile: The question we ask every group we interview concerns the relationship between the ransomware group and its affiliates. SuspectFile.com has read hundreds of commercial chats from various groups. In some cases, communication problems arose during negotiations. The victim asked for concrete proof of data and file leaks, but the operator could not respond because all the data was in the hands of the affiliate who hit the victim. Don’t you think such situations could undermine trust in the ransomware group?

Embargo: If affiliate lock the network but chooses to not engage in negotiations, then the affiliate is required to provide the full data to the operator.

SuspectFile: Do you also think, like other groups, that a security company, which businesses rely on as a “negotiator,” will eventually secretly reach an agreement with a ransomware group? Has this ever happened to you?

Embargo: We offer negotiators up to 10% if they negotiate a higher price with the client and provide proof in the form of communication logs with the client. We will also pay insiders if the information is good.

SuspectFile: Indeed, most companies in any sector invest little or nothing in cybersecurity. But beyond that, what are the main deficiencies that companies should address, considering that often (even in your case) untrained personnel inadvertently open the main door to company information systems (e.g., through phishing emails)?

Embargo: With enough time, all networks eventually can be compromised. Only question remains, whether admin will respond before too late.

SuspectFile: What reasons (if any), besides money and your skills, led you to choose this path in your life?

Embargo: Will you spend your one life working to enrich the corporations?