Embargo Ransomware Group Moves $34M in Crypto Since April

• Embargo has ransomed crypto in the United States with 34M+ since April 2024.
• A group can be a successor of BlackCat that has complex schemes of laundering and extortion.
• Holds 18.8M in dormant cryptocurrency, and capitalizes on the use of double extortion to the maximum.

Since April 2024, cryptocurrency flows relating to the Embargo ransomware group have totaled more than $34 million. This upsurge indicates the increasing threat of this cybercrime organization against vital infrastructure in the U.S. 

This threatening number was revealed by a blockchain intelligence company TRM Labs, which illuminated the current activity of Embargo and its strategies.

The attacks of this group majorly target hospitals, pharmaceutical networks, and high-impact sectors such as manufacturing and business services. Ransom demands reach as high as $1.3 million. 

The workings of Embargo appear to be geared towards the U.S. victims, probably because the sectors have a greater capacity to pay within a short time when the downtime is expensive.

Embargo: A New Face with Old Roots?

TRM Labs proposes the idea that Embargo might be a rebranded descendant of the infamous BlackCat (ALPHV) ransomware crew. In both groups, there are some essential technical similarities, such as the Rust programming language, on-chain wallet infrastructure, and the same web-based data leak sites. 

BlackCat went offline earlier this year under a suspected exit scam, so the appearance of Embargo is very dodgy.

TRM Labs has also found that Embargo exercises a very high level of control over key operations (including ransom negotiation and infrastructure) that are not common in ransomware-as-a-service (RaaS) models. The control enables it to scale and target variously and quickly in different sectors and regions.

Dormant Crypto Reserves and Money Laundering Tricks

Embargo has close to 18.8 million dollars in cryptocurrency as inactive money in unaffiliated wallets. Analysts explain this as an attempt to remain off the radar or as an effort to take advantage of future laundering circumstances. 

The group obscures the origins of funds by using elaborate networks of intermediate wallets and riskier exchanges, such as the sanctioned platform Cryptex.net.

TRM Labs monitored the activity of at least $13.5 million transferred between virtual asset service providers in May-August, of which more than $1 million was transferred through Cryptex. This multi-tier approach makes forensic tracking and police responses difficult.

Double Extortion Bolsters Pressure on Victims

Nevertheless, Embargo uses a calcified approach to double extortion, unlike more violent groups like LockBit or Cl0p. It locks down the systems of victims and promises to disclose their sensitive information in case they do not pay ransoms. 

Pressure has been exerted by publicly exposing some of the victims and stolen information on leak sites of Embargo.

This is a strategic move that applies in business where interruption has maximum disruption and loss. Hospitals and pharmacies, in particular, have been greatly affected as they have an essential workload and sensitive information.

The actions of Embargo conform to a general trend of ransomware crews to perfect extortion practices, emphasize stealth, and maximize profits at the expense of making a scene.