A relatively new cybercriminal group, going by the name Embargo, has rapidly established itself as a significant threat in the digital underworld. Since April 2024, they’ve reportedly moved over $34 million worth of cryptocurrency derived from ransomware payments.
Embargo functions as a ransomware-as-a-service (RaaS) operation, inflicting damage on essential infrastructure across the United States. Blockchain analytics firm TRM Labs reports that their targets have included vital sectors such as hospitals and pharmaceutical networks; more details can be found here.
Among those reportedly victimized are American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. Demands for ransom have allegedly reached as high as $1.3 million per incident.
TRM’s investigation hints that Embargo might be a re-emergence of the notorious BlackCat (ALPHV) group, which disappeared after a suspected exit scam earlier in the year. Evidence of this connection includes shared technical characteristics, such as the use of the Rust programming language, similarly structured data leak websites, and shared wallet addresses on the blockchain.
Related:
US DOJ Confiscates $24M in Crypto from Alleged Qakbot Malware Creator
Significant Portion of Embargo’s Crypto Remains Untouched
Approximately $18.8 million of the cryptocurrency obtained by Embargo remains idle in various unconnected wallets. Experts speculate this tactic is designed to postpone detection or to take advantage of more favorable money laundering conditions in the future.
The group is using a network of intermediate wallets, risky exchanges, and sanctioned platforms, including Cryptex.net, in an attempt to conceal the origins of their illicit funds. Between May and August, TRM traced at least $13.5 million flowing through diverse virtual asset service providers, with over $1 million specifically channeled through Cryptex.
While not as publicly aggressive as ransomware groups like LockBit or Cl0p, Embargo employs a double extortion strategy. They encrypt victims’ systems and threaten to release confidential data if ransom demands are not met. In some cases, they have publicly identified individuals or posted stolen data on their website to increase pressure on their targets.
Embargo primarily targets sectors where system downtime is extremely costly, including healthcare, business services, and manufacturing. They also demonstrate a preference for U.S.-based victims, likely due to their perceived greater capacity to pay large ransoms.
Related:
Coinbase Potentially Faces $400M Bill Following Insider Phishing Scheme
UK Moves to Prohibit Ransomware Payments for Public Institutions
The United Kingdom is preparing to outlaw ransomware payments for all public sector organizations and essential national infrastructure providers, including those responsible for energy, healthcare, and local government operations. The proposed legislation includes a preventative framework requiring organizations, not subject to the ban, to report any intention of paying a ransom.
The proposed legislation also incorporates a mandatory reporting system. Victims would be required to submit an initial report to the government within 72 hours of experiencing an attack, followed by a more detailed report within 28 days.
According to Chainalysis, ransomware attacks decreased by 35% last year. The report indicated this marked the first downturn in ransomware revenue since 2022.
Magazine:
A Look Inside a 30,000-Phone Bot Farm Stealing Crypto Airdrops