Cryptocurrency Tracing Suggests Group Is Rebrand of Russian-Speaking BlackCat Group
Even lesser-known ransomware groups haul in serious extortion cash – although in the ransomware world, little is what it seems.
See Also: What Manufacturing Leaders Are Learning About Cloud Security – from Google’s Frontline
Take a report from blockchain intelligence firm TRM Labs, which traced cryptocurrency payments worth $34.2 million to a year-old group called Embargo.
Embargo is a relative newcomer, at least in name. Cybersecurity firm Eset reported seeing Embargo emerge in June 2024, in attacks that involved two relatively sophisticated tools written in Rust: a loader it codenamed MDeployer and an endpoint detection and response kill tool it dubbed MS4Killer.
“MS4Killer is particularly noteworthy as it is custom-compiled for each victim’s environment, targeting only selected security solutions” and attempting to disable them, it said.
The group’s sophistication and haul worth tens of millions of dollars might be because it is not in fact a newcomer to the ransomware scene. Instead, Embargo appears to be a rebrand of, or successor to, the notorious BlackCat group, also known as Alphv, TRM Labs said. It based its finding on “multiple technical and behavioral similarities – including using the Rust programming language, a similarly designed data-leak site and on-chain overlaps via shared wallet infrastructure.”
Frequent victims of the group include U.S. healthcare, business services and manufacturing firms, as well as hospitals and pharmaceutical networks abroad. The biggest known single ransom payment to the group reached $1.3 million.
“The group targets sectors with urgent recovery timelines – particularly healthcare – where service disruptions can lead to life-threatening consequences and increase pressure to pay,” TRM Labs said. “This strategy mirrors broader trends in the ransomware ecosystem, where threat actors seek maximum leverage by attacking critical infrastructure.”
BlackCat itself launched in November 2021 as a spinoff of the now-defunct, Russia-based Conti ransomware group. Law enforcement agencies temporarily disrupted BlackCat’s data-leak site and victim communications channel in December 2023, after which it appeared to recover.
BlackCat’s operators shut it down in March 2024 after an affiliate named “Notchy” scored a $22 million ransom from American healthcare services firm Optum’s Change Healthcare unit, which is part of UnitedHealth Group.
Rather than giving the Western affiliate his cut – the industry standard is 70% to 80% – the Russian-speaking operators kept it for themselves and pretended to have been shut down by law enforcement.
Just a few months later, the core operators may have relaunched under a different name. “Historical BlackCat-linked addresses have funneled funds to wallet clusters associated with Embargo victims,” TRM Labs said.
Embargo launders its ransom funds through hundreds of deposits made across “global virtual asset service providers, non-custodial and high-risk exchanges, mixing services, peer-to-peer marketplaces and the now-sanctioned platform Cryptex.net,” TRM Labs said.
The revenue tied to Embargo is notable in part because the group – for all its apparent pedigree – doesn’t appear to rank in the top 10 extortion earners, at least based on the number of claimed victims. For the second quarter of this year, cybersecurity firm Rapid7 counted 65 ransomware groups at play. The groups claiming the most attacks on their data-leak sites were Qilin, Safepay, Akira, Play and Lynx, followed by Inc Ransom, Dragonforce, Nightspire, Hunters and Sarcoma.
Those rankings largely held through July, when the ransomware group that claimed the most victims was Qilin, with 73 organizations, followed by Inc Ransomware with 59, SafePay at 42, Akira at 38 and Play with 24, reported cybersecurity firm Cyble.
Such numbers require a dose of skepticism. Ransomware groups don’t issue annual statements detailing their profits. Some groups list only a subset of non-paying victims on their data-leak site, to pressure victims into paying as well as increase their group’s profile.
The ransomware ecosystem – never stable to begin with – is experiencing a period of heightened chaos as it weathers Western law enforcement crackdowns on groups such as Hive, LockBit and BlackSuit. Takedowns have triggered fragmentation and distrust among many Russian-speaking practitioners, and emboldened English-speaking attackers to go their own way (see: The Upside-Down, Topsy-Turvy World of Ransomware).
Ransomware operators and affiliates can come or go, and rarely get identified publicly, except perhaps by a pseudonym. Sometimes, affiliates work with more than one operation at a time. Blockchain analysis backs this up. “Consistent with its RaaS model, Embargo affiliates have participated in campaigns for other ransomware groups – reflecting the opportunistic and fluid nature of affiliate involvement across multiple operations,” TRM Labs said.
Look under the hood of ransomware operations and many look the same, and continue to profit handsomely at their victims’ expense.
