Ransomware group Embargo has been accused of moving more than $34 million in several crypto-linked payments since April 2024. According to blockchain intelligence firm TRM Labs, the group, which is still relatively new, has become a key player in the underground cybercrime world.
TRM Labs revealed that Embargo operates under a ransomware-as-a-service model, hitting critical infrastructures across the United States.
The report revealed that the group has hit hospitals and several pharmaceutical networks in numerous states. Some of its victims include American Associated Pharmacies, Georgia-based Memorial Hospital and Manor, and Weiser Hospital in Idaho, noting that the ransom demands have reached upwards of $1.3 million.
TRM Labs investigations uncover Embargo’s operations
According to TRM Labs , its investigations uncovered that the group might have sprang up as a rebranded version of the infamous BlackCat (ALPHV) operation. The said group disappeared earlier this year after it was involved in an exit scam. An exit scam is a kind of rug pull where individuals in charge of a project disappear with user funds without any traces.
Using the Rust programming language, operating similar data leak sites, and exhibiting on-chain ties through shared wallet infrastructure, TRM Labs noted that both entities share a technical overlap.
According to reports, about $18 million of illegal proceeds belonging to Embargo still lie dormant in unaffiliated wallets. Analysts believe that this tactic is used to delay detection or seek better exploit opportunities in the future.
Embargo uses a network of intermediary wallets, exchanges that pose high risks, and sanctioned platforms, including Cryptos.net, to hide transaction trails and obscure funds. From May through August, TRM Labs said it traced at least $13.5 million stolen by Embargo across various virtual assets service providers, with more than $1 million moved using Cryptex alone.
While Embargo does not use the aggressive tactic deployed by groups like LockBit or Cl0p, the group has adopted a double extortion tactic. It uses system encryption and threats to leak sensitive data to coerce its victims into paying the ransom. In some other instances, the group has leaked names of individuals involved or the stolen data to show its seriousness and increase pressure.
Emargo goes after high-stakes targets
The group always targets sectors where downtime proves costly to their operations, including industries in sectors like healthcare, manufacturing, and business services. It has also been shown that it has a preference for victims based in the United States, considering the fact that they tend to have the capacity to pay on time, as the downtime may prove costly to their operations.
Meanwhile, the United Kingdom has announced plans to ban ransomware payments for all public sector bodies and critical national infrastructure operators. These sectors include energy, healthcare, and local councils. The proposal will introduce a prevention regime that will require the victims outside the ban to report any intended ransomware payments to the authorities.
The plan also includes a mandatory reporting system where the victims are required to submit an initial report to the government within 72 hours of an attack and a detailed follow-up in the next 28 days.
According to a previous Chainalysis report, Ransomware attacks dropped about 35% last year. The report claimed that it was the first time since 2022 that revenues from ransomware dropped that much. The report, which was released in February, mentioned that despite the drop, users still lost more than $800 million to the criminals. Chainalysis claimed that the causes of the drop included increased law enforcement actions, improved international collaboration, and a growing refusal by victims to pay.
Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.
