The Embargo ransomware group has amassed a significant amount of cryptocurrency funds โ over $34 million โ through their operations since April 2024. This cybercriminal outfit operates under a ‘ransomware-as-a-service’ (RaaS) model, targeting critical infrastructure such as hospitals and pharmaceutical networks in the United States. Notable victims include American Associated Pharmacies, Georgia-based Memorial Hospital and Manor, and Weiser Memorial Hospital in Idaho, with reported ransom demands reaching up to $1.3 million. ๐ต๏ธโโ๏ธ
TRM Labs, a blockchain intelligence firm, suggests that Embargo may be a rebranded version of the notorious BlackCat (ALPHV) operation, which vanished following a suspected exit scam earlier this year. Technical similarities between both groups are undeniable โ using the Rust programming language, operating similar data leak sites, and sharing wallet infrastructure.
A key part of their strategy is utilizing dormant cryptocurrency held in unaffiliated wallets โ around $18.8 million. This approach aims to delay detection or exploit favorable laundering conditions for future transactions. ๐ฐ
To obscure the origins of funds, Embargo employs a network of intermediary wallets, high-risk exchanges, and sanctioned platforms like Cryptex.net. TRM traced at least $13.5 million in ransom payments between May and August across various virtual asset service providers, with over $1 million going through Cryptex alone.
Embargo has adopted double extortion tactics โ encrypting systems and threatening to leak sensitive data if victims fail to pay. In some cases, the group even publicly names individuals or leaks data on their website to increase pressure. ๐ป
The group primarily targets sectors where downtime is costly โ healthcare, business services, and manufacturing โ showing a preference for U.S.-based victims due to their greater capacity to pay. Meanwhile, the UK plans to ban ransom payments for all public sector bodies and critical infrastructure operators in areas like energy, healthcare, and local councils.
The countryโs proposed new system is set to introduce a prevention regime requiring victims outside of the ban to report intended ransom payments. There will also be mandatory reporting requirements โ with victims needing to submit an initial report within 72 hours of an attack and a detailed follow-up within 28 days.
Last year, ransomware attacks saw a significant decline of 35%, marking the first drop in ransomware revenues since 2022. This decrease is according to Chainalysis.