Embargo Ransomware Moves $34M in Crypto Since April A relatively new ransomware group known as Embargo has emerged as a significant threat in the cybercrime landscape, moving over $34 million in ransom-linked cryptocurrency since April 2024, according to blockchain intelligence firm TRM Labs. Operating under a ransomware-as-a-service (RaaS) model, Embargo has attacked critical infrastructure across the United States, including hospitals and pharmaceutical networks. Hospitals and Pharmaceutical Networks Among Victims Confirmed victims include American Associated Pharmacies , Georgia-based Memorial Hospital and Manor , and Weiser Memorial Hospital in Idaho. Ransom demands have reached as high as $1.3 million per incident. TRM Labs suggests Embargo could be a rebranded version of the notorious BlackCat (ALPHV) group, which vanished earlier this year following a suspected exit scam. Technical overlaps include the use of the Rust programming language, similar data leak platforms, and shared onchain wallet infrastructure. Dormant Crypto Funds and Laundering Tactics Around $18.8 million of Embargo’s proceeds remain untouched in unaffiliated wallets, a move experts believe may delay detection or await better laundering opportunities. The group reportedly relies on a network of intermediary wallets, high-risk exchanges, and sanctioned platforms such as Cryptex.net. Between May and August, TRM traced at least $13.5 million through various service providers, with over $1 million routed via Cryptex. Double Extortion and US-Focused Attacks While less publicly aggressive than groups like LockBit, Embargo employs double extortion, encrypting systems and threatening to leak sensitive data if payment is not made. In some cases, individuals have been named or data published to pressure victims. Embargo’s targeting strategy favors sectors where downtime is costly, such as healthcare, business services, and manufacturing, with a preference for US-based victims due to their higher payment capacity. UK Plans Ransomware Payment Ban for Public Sector In related developments, the UK government plans to ban ransomware payments for public sector entities and critical national infrastructure operators. The proposal includes mandatory reporting, requiring victims to file an initial report within 72 hours of an attack and a detailed account within 28 days. Decline in Ransomware Revenues According to Chainalysis, ransomware activity dropped by 35% last year, marking the first revenue decline in the sector since 2022.
