A new type of ransomware organization named Embargo has emerged in cybercrime, transferring over $340 million in cryptocurrency related to ransom since April 2024.
Embargo operates a ransomware-as-a-service (RaaS) model, attacking critical infrastructure in the U.S., targeting hospitals and pharmaceutical networks, according to blockchain intelligence firm TRM Labs.
Victims include U.S.-based affiliated pharmacies, the Memorial Hospital in Georgia, and the State Waisel Memorial Hospital. Reports indicate that the ransom demand is as high as $1.3 million.
TRM's investigation suggests that Embargo may be a rebranded version of the notorious BlackCat (ALPHV) operation, which disappeared earlier this year after allegedly exiting a scam. Both share technical characteristics, use the Rust programming language, run similar data leak websites, and showcase on-chain connections through shared wallet infrastructure.
Embargo holds $188 million in unused cryptocurrency.
About $188 million in crypto earnings from Embargo remains in unassociated wallets, experts believe this may be to avoid detection or to take advantage of better laundering conditions in the future.
The organization uses intermediary wallets, high-risk exchanges, and sanctioned platforms (like Cryptex.net) to obscure the source of funds. From May to August, TRM tracked at least $135 million being transferred between different virtual asset service providers, with over $1 million processed through Cryptex.
Although not as overt as LockBit or Cl0p, Embargo employs a double extortion strategy, threatening to leak sensitive data to apply pressure.
The UK will ban ransom payments for the public sector.
The UK plans to ban all public sector and critical national infrastructure operators from paying ransoms, including energy, healthcare, and local councils. This proposal introduces a prevention system that requires victims to report proposed ransom payments.