Ransomware Group Embargo Linked to Major Crypto Flows
Blockchain intelligence firm TRM Labs reports that the ransomware group Embargo has received around $34.2 million in cryptocurrency since its emergence in April 2024. Victims have been primarily concentrated in the United States, spanning the healthcare, business services, and manufacturing sectors.
Suspicions of a BlackCat/ALPHV Successor
TRM Labs suggests that Embargo may be a rebrand or successor to the BlackCat/ALPHV ransomware operation. Indicators including Rust-based malware, similarities in leak site designs, and overlapping onchain wallet infrastructure underpin this suspicion.
High-Profile Victims and Crypto Ransom Tracking
Notable victims include American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. According to TRM, ransom demands in these cases reached up to $1.3 million.
Investigators at TRM traced payments from victim pay addresses through intermediary wallets to high-risk exchanges, peer-to-peer marketplaces, mixing services, and the now-sanctioned platform Cryptex.net. The analysis found:
- Hundreds of deposits totaling roughly $13.5 million into global virtual asset service providers
- About 17 deposits, just over $1 million, moved through Cryptex.net
- Only two deposits into mixing service Wasabi, indicating limited use of mixers
- Roughly $18.8 million remains unmoved in unattributed addresses, a tactic possibly used to disrupt tracing or delay cash-out
Modus Operandi and Market Context
Embargo operates on a ransomware-as-a-service model with subdued branding, which TRM Labs says has aided the group in scaling operations while drawing less attention. The report also notes possible use of AI and machine learning to craft phishing lures and mutate malware.
The findings highlight how crypto payments and loosely regulated offshore exchanges still enable significant ransomware activity, even as authorities step up enforcement. In contrast, industry data signals a potential decrease in total ransomware proceeds. For example, last year saw an industry record with an $8 million payout. However, increased crackdowns and higher refusal-to-pay rates have reduced overall ransomware revenues, which dropped to $1.1 billion from $1.25 billion the previous year according to Chainalysis.
Related content
Comments
