Embargo ransomware group nets $34.2 million: TRM Labs

The Ransomware Embargo Group has stolen $ 34.2 million since its emergence in April 2024, targeting victims in the health, business and manufacturing services, according to TRM Labs Research.

Most victims are located in the United States, ransom requests reaching up to $ 1.3 million per attack.

The cybercriminals group has achieved major objectives, notably American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho.

TRM Labs has identified approximately $ 18.8 million in victim funds that remain dormant in unattained portfolios.

Suspected blackcat connection

According to has Trm Labs, embargo can be a renamed version of the deceased blackcat ransomware group (AlphV), based on technical similarities and a shared infrastructure.

The two groups use the Rust programming language and maintain conceptions and functionality of the almost identical data leak site.

Chain analysis revealed that the historic addresses linked to BlackCat has sent cryptocurrency to the clusters of wallets associated with the victims of embargo.

The connection suggests that embargo operators may have inherited the BlackCat operation or have evolved as a result of its apparent output scam in 2024.

Embargo works under a ransomware model as a service, providing tools to affiliates while retaining control of basic operations and payment negotiations. This structure allows rapid scaling between several sectors and geographic regions.

Use by ransomware embargo of sophisticated money laundering methods

The organization uses sanctioned platforms such as CRYPTEX.NET, high-risk exchanges and intermediate wallets to whiten the stolen cryptocurrency.

Between May and August 2024, TRM Labs watched about $ 13.5 million in deposits made through various virtual asset service providers, including more than a million dollars routed via Cryptx.net.

Embargo avoids high dependence on cryptocurrency mixers, but superimposes transactions on several addresses before depositing funds directly in exchanges.

The group was observed using the Wasabi mixer in limited cases, with only two identified deposits.

Ransomware operators deliberately manage the funds at different stages of the laundering process, likely to disrupt tracing models or to wait for favorable conditions, such as reduced attention from the media or lower network fees.

Embargo specifically targets health care organizations to maximize the lever effect thanks to operational disturbances.

Health care attacks can have a direct impact on patient care, with potentially fatal consequences and create pressure for rapid ransom payments.

The group uses double extension extortion tactics – hindering files while exfiltrating sensitive data. The victims are faced with threats of data leaks or sales on the dark web if they refuse payment, aggravating financial damage with consequences of reputation and regulatory.