Embargo: A New Force in the Ransomware World and Its Connection to BlackCat
Date: 2025-08-12 Author: Henry Casey Categories: BUSINESS
According to TRM Labs, Embargo has received over $34 million in cryptocurrency ransoms since April 2024. Their model is based on providing attack tools to other criminals in exchange for a share of the proceeds. At the same time, the group controls key aspects of the operations, including infrastructure management and negotiation with victims.
Researchers note that Embargo uses technologically sophisticated ransomware, but at the same time avoids flashy tactics such as triple extortion or public pressure on victims. This strategy helps them stay in the shadows, minimizing the attention of the media and law enforcement agencies.
Embargo's main targets are healthcare institutions, business services companies, and manufacturing enterprises - those for whom downtime results in large losses. The victims include American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. The combined ransoms amounted to $1.3 million.
Hackers use software vulnerabilities, social engineering techniques, as well as phishing emails and infected websites to gain initial access.
Possible continuity with BlackCat
TRM Labs suggests that Embargo may be a reincarnated BlackCat group, known for using the ALPHV ransomware. In late 2024, BlackCat announced its cessation of operations, claiming that the FBI had intervened, but there was no official confirmation of this. The community then started talking about an exit scam, and one of the participants accused colleagues of embezzling $22 million.
The similarities between Embargo and BlackCat can be seen in several aspects: the use of the Rust language, the management of similar data leak portals, and the intersections in on-chain activity, including clusters of related crypto wallets.
Methods of money laundering
Embargo uses a network of intermediate addresses, cooperates with risky crypto exchanges and sanctioned platforms, including Cryptex.net, to disguise the origin of funds. Interestingly, they rarely use crypto mixers and cross-chain bridges.
TRM Labs estimates that about $18.8 million of the group's income remains idle for a long time - this probably helps them avoid attracting unnecessary attention.
In the context of this activity, it is worth recalling that in July 2025, a former employee of DigitalMint, a company that helps victims of cyber extortion, was suspected of colluding with criminals, which highlights the depth of connections such groups have in the industry.
