The relatively new ransomware group known as Embargo has moved more than $34 million in crypto link ransom payments since April 2024, becoming a key player in Cyber Crime Underground.
According to blockchain intelligence firm TRM Labs, the Ansergo-a-Service (RAAS) model, operated under the Ransomware-a-Service (RAAS) model, reaches critical infrastructure across the US, with targets including hospitals and pharmaceutical networks.
Victims include American pharmacies, Georgia-based Memorial Hospital and Mansion, and Weiser Memorial Hospital in Idaho. The ransom demand reportedly reached up to $1.3 million.
TRM’s investigation suggests that the embargo could be a rebranded version of the infamous Black Cat (ALPHV) operation, and disappeared earlier this year due to suspected exit fraud. The two groups use the Rust programming language to manipulate similar data leak sites and share technical overlaps showing on-chain tie via shared wallet infrastructure.
TRM’s graph visualizer shows a small embargo wallet cluster with incoming black cat (ALPHV) exposure. Source: TRM Lab
Related: US DOJ seizes $24 million in Crypto from the accused Qakbot malware developer
The embargo holds $18.8 million under dormant code
Cryptocurrency revenue from the approximately $18.8 million embargo remains dormant in unrelated wallets. Tactical experts believe it is designed to delay future detection or take advantage of better washing conditions.
The group uses authorized platforms that include networks of intermediate wallets, high-risk exchanges, and cryptotex.net to blur the origins of funds. From May to August, TRM tracked at least $13.5 million across a variety of virtual asset service providers, and was routed over $1 million on Cryptex alone.
While not as visibly aggressive as Lockbit or CL0P, Embargo employs double-treat tor tactics, encrypting the system and threatening to leak sensitive data if the victim fails to pay. In some cases, groups are either named individuals or leaking data on the site to raise pressure.
The embargo indicates that they prefer US-based victims, primarily targeting sectors with costly downtime, such as healthcare, business services and manufacturing, and are likely to be more affordable.
Related: Coinbase faces $400 million invoice after insider phishing attack
UK prohibits public sector ransomware payments
The UK plans to ban ransomware payments for all public sector agencies and critical national infrastructure operators, including energy, healthcare and local councils. The proposal introduces a prevention regime that requires victims to report their intended ransom payments outside of the ban.
The plan also includes a mandatory reporting system in which victims are required to submit initial reports to the government within 72 hours of the attack and to sacrifice detailed follow-up within 28 days.
At Ransomware, Chain Olysis said its attacks fell 35% last year. The report marked the first decline in ransomware revenue since 2022.
magazine: Inside a 30,000 phone bot farm, steal crypto air drops from real users
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
