A ransomware group known as Embargo has moved over $34 million in cryptocurrency since April 2024, according to blockchain intelligence firm TRM Labs [1]. The group, which operates under a ransomware-as-a-service (RaaS) model, has targeted critical infrastructure in the United States, including hospitals and pharmaceutical networks. Affected organizations include American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho, with ransom demands reaching as high as $1.3 million.
TRM Labs’ investigation indicates that Embargo may be a rebranded version of the BlackCat (ALPHV) ransomware operation, which disappeared following what is believed to have been an exit scam earlier in 2024. Both groups share technical similarities, including the use of the Rust programming language, similar data leak site structures, and overlapping wallet infrastructure. These findings suggest a continuity of tactics and infrastructure between the two groups.
Approximately $18.8 million of the ransomware proceeds remain in dormant wallets, a strategy experts suggest is intended to evade detection or take advantage of more favorable laundering conditions in the future. Embargo has used a network of intermediary wallets and high-risk exchanges, including the sanctioned platform Cryptex.net, to obscure the flow of illicit funds. From May through August 2024, TRM Labs traced at least $13.5 million across various virtual asset service providers, with over $1 million routed through Cryptex alone.
While Embargo is not as aggressive in public operations as groups like LockBit or Cl0p, it employs a double extortion strategy—encrypting victims’ systems and threatening to publish sensitive data if payments are not made. In some cases, the group has publicly named individuals or posted stolen data to apply additional pressure. Embargo primarily targets sectors where operational disruption can result in significant financial losses, such as healthcare, business services, and manufacturing, and has shown a preference for U.S.-based victims, likely due to their higher ransom-paying capacity.
The rise of Embargo highlights the ongoing challenges in combating ransomware, even as overall ransomware attacks declined by 35% in 2024, according to Chainalysis [1]. The drop marked the first decline in ransomware revenue since 2022. However, as demonstrated by Embargo’s activities, cybercriminals continue to refine their tactics to maximize profits while evading law enforcement and tracking efforts. The UK has also taken steps to address the issue, proposing a ban on ransomware payments for public sector bodies and critical national infrastructure operators. The measure includes a mandatory reporting system requiring victims to notify authorities within 72 hours of an attack and to submit detailed follow-ups within 28 days.
The continued movement of ransomware proceeds through crypto underscores the need for enhanced blockchain monitoring and international cooperation to prevent further expansion of such criminal operations.
Source: [1] Embargo ransomware group moved $34M in crypto since April (https://cointelegraph.com/news/embargo-ransomware-34m-crypto-blackcat-links)
