Embargo ransomware group nets $34.2m within a year: TRM Labs

The Embargo ransomware group has stolen $34.2 million since emerging in April 2024, targeting victims across the healthcare, business services, and manufacturing sectors, according to TRM Labs research.

Most victims are located in the U.S., with ransom demands reaching up to $1.3 million per attack.

The cybercrime group has hit major targets, including American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho.

TRM Labs identified approximately $18.8 million in victim funds that remain dormant in unattributed wallets.

BlackCat connection suspected

According to TRM Labs, Embargo may be a rebranded version of the defunct BlackCat (ALPHV) ransomware group, based on technical similarities and shared infrastructure.

Both groups use the Rust programming language and maintain nearly identical data leak site designs and functionality.

On-chain analysis revealed that historical BlackCat-linked addresses funneled cryptocurrency to wallet clusters associated with Embargo victims.

The connection suggests that Embargo’s operators may have inherited the BlackCat operation or evolved from it following its apparent exit scam in 2024.

Embargo operates under a ransomware-as-a-service model, providing tools to affiliates while retaining control over core operations and payment negotiations. This structure enables rapid scaling across multiple sectors and geographic regions.

Embargo ransomware’s use of sophisticated laundering methods

The organization uses sanctioned platforms such as Cryptex.net, high-risk exchanges, and intermediary wallets to launder stolen cryptocurrency.

Between May and August 2024, TRM Labs monitored approximately $13.5 million in deposits made through various virtual asset service providers, including more than $1 million routed through Cryptex.net.

Embargo avoids heavy reliance on cryptocurrency mixers, instead layering transactions across multiple addresses before depositing funds directly into exchanges.

The group was observed using the Wasabi mixer in limited instances, with only two identified deposits.

The ransomware operators deliberately park funds at various stages of the laundering process, likely to disrupt tracing patterns or wait for favorable conditions such as reduced media attention or lower network fees.

Embargo specifically targets healthcare organizations to maximize leverage through operational disruption.

Healthcare attacks can directly impact patient care, with potentially life-threatening consequences, and create pressure for quick ransom payments.

The group employs double extortion tactics—encrypting files while exfiltrating sensitive data. Victims face threats of data leaks or dark web sales if they refuse payment, compounding financial damage with reputational and regulatory consequences.