Embargo Ransomware Group Amasses $34M, Linked to BlackCat
The Embargo ransomware group has rapidly emerged as a significant threat, accumulating over $34 million in crypto-related ransom payments since April 2024. Operating on a ransomware-as-a-service (RaaS) model, Embargo has primarily targeted critical infrastructure in the US, including healthcare facilities.
Blockchain intelligence firm TRM Labs suggests a strong connection between Embargo and the BlackCat (ALPHV) operation, citing shared Rust programming language use, similar data leak site designs, and common wallet infrastructure. Embargo employs double extortion tactics, encrypting systems and threatening to leak sensitive data. The group favors targeting the healthcare, business services, and manufacturing sectors, with a preference for US-based victims.
To launder proceeds, Embargo utilizes intermediary wallets, high-risk exchanges, and sanctioned platforms like Cryptex.net. Approximately $18.8 million in crypto remains dormant in unaffiliated wallets, potentially to delay detection.
The UK is proposing a ban on ransomware payments for public sector bodies and critical infrastructure operators, alongside a mandatory reporting regime for certain ransom payments. Despite the rise of groups like Embargo, overall ransomware revenues saw a 35% drop last year, indicating potential progress in combating cybercrime.