{"id":25969,"date":"2025-08-10T14:30:05","date_gmt":"2025-08-10T11:30:05","guid":{"rendered":"https:\/\/forklog.com\/en\/embargo-ransomware-linked-to-defunct-blackcat-group\/"},"modified":"2025-08-10T14:30:05","modified_gmt":"2025-08-10T11:30:05","slug":"embargo-ransomware-linked-to-defunct-blackcat-group","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/embargo-ransomware-linked-to-defunct-blackcat-group\/","title":{"rendered":"Embargo Ransomware Linked to Defunct BlackCat Group"},"content":{"rendered":"

The Embargo ransomware group has emerged as a key player in the shadowy RaaS<\/span> sector. Since April 2024, the hackers have extorted over $34 million in cryptocurrency, according to a report by TRM Labs<\/a>.<\/p>\n

Researchers indicate that the group provides criminals with tools for conducting attacks in exchange for a share of the ransom proceeds. Embargo maintains control over key operations, including infrastructure manipulation and payment negotiations.<\/p>\n

\n

\u201cEmbargo employs high-tech and aggressive ransomware. However, they avoid branding and do not use attention-grabbing tactics like other known groups, such as triple extortion and victim harassment. This restraint has likely helped them evade law enforcement detection and reduce media attention,\u201d stated TRM Labs.<\/p>\n<\/blockquote>\n

The cybercriminals often target organizations in healthcare, business services, and manufacturing, where downtime is costly.<\/p>\n

Notable victims include the pharmacy network American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. The total ransom demands from these attacks reached $1.3 million.<\/p>\n

Typically, Embargo gains initial access through unpatched software vulnerabilities, social engineering, phishing emails, and malicious websites.<\/p>\n

Connection to BlackCat<\/strong><\/h2>\n

TRM Labs analysts suggest that Embargo may be a rebranded version of the BlackCat group, which distributed the ALPHV ransomware.<\/p>\n

In 2024, the hackers announced<\/a> the closure of their project, claiming the FBI had seized their infrastructure. However, law enforcement did not confirm this information. Rumors then surfaced of a possible exit scam, with one member accusing the team of stealing $22 million from ransom payments.<\/p>\n

Researchers identified common technical aspects between the groups: they use the Rust programming language, manage similar data leak sites, and exhibit on-chain connections through wallet clusters.<\/p>\n

\"Embargo
Connection between Embargo and BlackCat wallets. Source: TRM Labs.<\/figcaption><\/figure>\n

Embargo uses a network of intermediary addresses, high-risk exchanges, and sanctioned platforms, including Cryptex.net, to obscure the origin of funds. However, the hackers rarely use crypto mixers and cross-chain bridges.<\/p>\n

Researchers identified approximately $18.8 million in illicit proceeds from the group, which have remained dormant for a long time. This tactic likely helps attract less attention to their activities.<\/p>\n

Back in July 2025, a former employee of DigitalMint, a company that assists ransomware victims, was suspected<\/a> of colluding with hackers.<\/p>\n","protected":false},"excerpt":{"rendered":"

The Embargo ransomware group has emerged as a key player in the shadowy RaaS sector. Since April 2024, the hackers have extorted over $34 million in cryptocurrency, according to a report by TRM Labs. Researchers indicate that the group provides criminals with tools for conducting attacks in exchange for a share of the ransom proceeds. […]<\/p>\n","protected":false},"author":1,"featured_media":25968,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1252],"class_list":["post-25969","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-reports"],"aioseo_notices":[],"amp_enabled":true,"views":"71","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/25969","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=25969"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/25969\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/25968"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=25969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=25969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=25969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}