The Embargo ransomware group has stolen $34.2 million since its emergence in April 2024, targeting victims across healthcare, business services, and manufacturing sectors.
Overview of Embargo Group
According to TRM Labs research, most victims are located in the U.S., with ransom demands reaching up to $1.3 million per attack. Major targets have included American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. Researchers have also identified approximately $18.8 million in victim funds that remain dormant in unclaimed wallets.
Suspected Connection to BlackCat
According to TRM Labs, Embargo may be a rebranded version of the defunct BlackCat (ALPHV) ransomware group, based on technical similarities and shared infrastructure. Both groups use the Rust programming language and have nearly identical data leak site designs and functionality. On-chain analysis revealed that historical BlackCat-linked addresses funneled cryptocurrency to wallet clusters associated with Embargo victims.
Methods of Money Laundering
The organization uses sanctioned platforms such as Cryptex.net, high-risk exchanges, and intermediary wallets to launder stolen cryptocurrency. Between May and August 2024, TRM Labs monitored approximately $13.5 million in deposits made through various virtual asset service providers, including more than $1 million routed through Cryptex.net. Embargo avoids heavy reliance on cryptocurrency mixers, instead layering transactions across multiple addresses before depositing funds directly into exchanges.
The Embargo group continues to operate actively, targeting vulnerable sectors such as healthcare while employing sophisticated methods to obscure the traces of its criminal activities.
