The security company TRM Labs released a detailed report on the ransomware group Embargo, which emerged in April 2024. Since then, the group has stolen $34.2 million, primarily targeting the healthcare, business services, and manufacturing sectors, with most victims in the USA. The ransoms demanded per attack reach $1.3 million.

Connection to the BlackCat (ALPHV) Group

TRM Labs identified that Embargo may be a rehashed version of the defunct ransomware group BlackCat (ALPHV). This suspicion is based on technical similarities, such as the use of the Rust programming language and almost identical data leak site designs. Analysis of blockchain transactions supports this theory, showing that addresses linked to BlackCat directed cryptocurrencies to wallets associated with Embargo victims. This suggests that the operators of Embargo may have inherited or evolved from the BlackCat operation after its "exit scam" in 2024.

Tactics and Operations of the Group

Embargo operates under a "ransomware as a service" model, providing tools for affiliates while maintaining control over core operations and payment negotiations. This structure allows the group to expand rapidly across different sectors and regions. They use sanctioned platforms, high-risk exchanges, and intermediary wallets to launder stolen money. Between May and August 2024, TRM Labs tracked approximately $13.5 million in deposits through various providers, including over $1 million through Cryptex.net.

Instead of relying on cryptocurrency mixers, Embargo prefers to layer transactions across multiple addresses before depositing the funds directly into exchanges. The group has only been seen using the Wasabi mixer on a few occasions.