Key Takeaways
- According to TRM Labs, investigative findings suggest that Embargo may be a rebranded form of the ransomware group BlackCat, also known as ALPHV
- TRM Labs’ analysis indicates that roughly $18.8 million in crypto connected to Embargo’s operations remains in wallets not currently associated with active transactions.
Blockchain intelligence firm TRM Labs has identified a ransomware group known as Embargo as having moved more than $34 million in crypto ransom payments since April 2024. The group operates under a ransomware-as-a-service (RaaS) model and has targeted multiple critical infrastructure sectors in the United States, including healthcare and pharmaceuticals.
Confirmed victims include American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. Reported ransom demands have reached up to $1.3 million.
According to TRM Labs, investigative findings suggest that Embargo may be a rebranded form of the ransomware group BlackCat, also known as ALPHV, which ceased operations earlier this year following what analysts described as an exit scam. The suspected link is based on several technical similarities, including the use of the Rust programming language, operation of comparable data leak sites, and overlapping on-chain wallet infrastructure.
TRM Labs’ analysis indicates that roughly $18.8 million in crypto connected to Embargo’s operations remains in wallets not currently associated with active transactions. Analysts state that this could represent a deliberate delay in moving funds, potentially to reduce detection risk or to take advantage of more favorable conditions for transferring assets in the future.
The group has been observed utilizing intermediary wallets, high-risk cryptocurrency exchanges, and sanctioned platforms to move funds. TRM reports that from May through August 2024, at least $13.5 million in stolen digital assets were traced through various virtual asset service providers, with more than $1 million processed through Cryptex.net. These movements are consistent with efforts to obscure transaction origins and destinations.
The ransomware-as-a-service model used by Embargo allows affiliates to deploy attacks while paying the core operators a percentage of ransom payments.
The timeline of Embargo’s emergence closely follows the disappearance of BlackCat, with TRM Labs noting the possibility that existing infrastructure and criminal networks were repurposed under the new identity.
