Embargo ransomware, likely a BlackCat/Alphv successor, has netted $34.2M in crypto since mid-2024, researchers say.
The Embargo ransomware group has processed $34.2M in crypto since emerging in April 2024, researchers from Blockchain intelligence company TRM Labs report.
“TRM Labs has identified approximately USD 34.2 million in incoming transaction volume likely associated with the group, with most victims located in the United States (US) in the healthcare, business services, and manufacturing sectors.” reads the report published by TRM Labs.
The RaaS mainly targeted US healthcare, business services, and manufacturing. Victims include American Associated Pharmacies, Memorial Hospital and Manor (GA), and Weiser Memorial Hospital (ID), with ransom demands up to $1.3M.
TRM believes the Embergo ransomware group may be a BlackCat/Alphv successor based on multiple technical and behavioral similarities, including using the Rust programming language, a similarly designed data leak site, and on-chain overlaps via shared wallet infrastructure.
“Although not as prolific as groups like LockBit, Akira, or Cl0p, TRM assesses that Embargo is likely well resourced and technically capable — potentially drawing on the expertise or codebases of previous threat actors.” continues the report.
The researchers observed the group laundering ransom proceeds through intermediary wallets, high-risk exchanges, and sanctioned platforms such as Cryptex.net.
The experts also discovered approximately USD 18.8 million that remains dormant in unattributed wallets, suggesting a deliberate evasion tactic.
Embargo may be using AI and ML to scale attacks, create convincing phishing lures, adapt malware, and speed up its operations.
Embargo, though financially driven, has used politically charged messages, hinting at possible links with states. It mainly targets healthcare, business services, and manufacturing for maximum disruption, often in the US but also in Europe and Asia. Healthcare attacks risk patient care, reflecting a trend of exploiting critical services for leverage.
Embargo exploits unpatched flaws or uses phishing as initial access vectors, then disables defenses, removes recovery options, before encrypting the files. It controls negotiations via its infrastructure and runs a leak site to pressure non-paying victims, sometimes naming individuals. Using double extortion, it also threatens to sell or leak stolen data, amplifying financial, reputational, and regulatory risks.
“While AI is accelerating the scale and sophistication of ransomware attacks, it’s also becoming a critical tool in stopping them. Companies are using AI to detect signs of compromise — such as unusual access behavior and file encryption patterns.” concludes the report.
“Effectively countering ransomware threats also requires collaboration between the public and private sectors.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Embargo ransomware)