The Embargo ransomware group has emerged as a key player in the shadowy RaaS sector. Since April 2024, the hackers have extorted over $34 million in cryptocurrency, according to a report by TRM Labs.
Researchers indicate that the group provides criminals with tools for conducting attacks in exchange for a share of the ransom proceeds. Embargo maintains control over key operations, including infrastructure manipulation and payment negotiations.
“Embargo employs high-tech and aggressive ransomware. However, they avoid branding and do not use attention-grabbing tactics like other known groups, such as triple extortion and victim harassment. This restraint has likely helped them evade law enforcement detection and reduce media attention,” stated TRM Labs.
The cybercriminals often target organizations in healthcare, business services, and manufacturing, where downtime is costly.
Notable victims include the pharmacy network American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. The total ransom demands from these attacks reached $1.3 million.
Typically, Embargo gains initial access through unpatched software vulnerabilities, social engineering, phishing emails, and malicious websites.
Connection to BlackCat
TRM Labs analysts suggest that Embargo may be a rebranded version of the BlackCat group, which distributed the ALPHV ransomware.
In 2024, the hackers announced the closure of their project, claiming the FBI had seized their infrastructure. However, law enforcement did not confirm this information. Rumors then surfaced of a possible exit scam, with one member accusing the team of stealing $22 million from ransom payments.
Researchers identified common technical aspects between the groups: they use the Rust programming language, manage similar data leak sites, and exhibit on-chain connections through wallet clusters.
Embargo uses a network of intermediary addresses, high-risk exchanges, and sanctioned platforms, including Cryptex.net, to obscure the origin of funds. However, the hackers rarely use crypto mixers and cross-chain bridges.
Researchers identified approximately $18.8 million in illicit proceeds from the group, which have remained dormant for a long time. This tactic likely helps attract less attention to their activities.
Back in July 2025, a former employee of DigitalMint, a company that assists ransomware victims, was suspected of colluding with hackers.