A ransomware syndicate known as Embargo has reportedly amassed a substantial fortune, extracting over $34 million in digital currency through ransom demands since April 2024. This information comes from a detailed analysis published on August 8 by TRM Labs, a cybersecurity research firm.
Embargo functions using a ransomware-as-a-service (RaaS) structure. This means they collaborate with other cybercriminal entities, supplying their malicious software and infrastructure in exchange for a share of the illicit gains.
Several organizations have fallen victim to Embargo’s attacks, including American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. In some instances, ransom demands have reached staggering amounts, peaking at $1.3 million.
Did you know?
Subscribe – We publish new crypto explainer videos every week!
Is Your Crypto Safe? (5 Best Crypto Security Practices Explained)
TRM Labs’ research indicates that Embargo employs a double extortion scheme. Initially, they encrypt the target’s computer networks, rendering them unusable. Subsequently, they threaten to expose confidential data publicly unless the ransom is paid.
To intensify pressure on their victims, Embargo has, in certain instances, publicly identified affected organizations and individuals on their dedicated website. While their operational profile may be less conspicuous compared to notorious groups like LockBit or Cl0p, their tactics remain remarkably effective.
The findings presented by TRM Labs suggest a potential connection between Embargo and the defunct BlackCat group (also known as ALPHV). BlackCat ceased operations earlier this year amid suspicions of an exit scam. Shared characteristics include the utilization of the Rust programming language, the operation of similarly designed websites for leaking stolen information, and overlapping cryptocurrency wallet infrastructure.
TRM estimates that approximately $18.8 million of Embargo’s illicit earnings remain in cryptocurrency wallets that are not linked to any identified exchange or service.
Embargo often uses a complex network of wallet addresses, high-risk cryptocurrency exchanges, and even sanctioned platforms to obfuscate the movement of funds. Between May and August, TRM tracked roughly $13.5 million traversing various virtual asset service providers (VASPs), with over $1 million routed through Cryptex.net.
In related news, Koi Security reported on August 7 that a cybercriminal collective known as GreedyBear absconded with over $1 million in cryptocurrencies. Want the details? Dive into the full report here.