A new ransomware group called Embargo has rapidly emerged as a significant cybercrime threat, accumulating over $34 million in cryptocurrency ransom payments since April 2024, according to blockchain intelligence firm TRM Labs. Operating under a ransomware-as-a-service (RaaS) model, Embargo has specifically targeted critical U.S. infrastructure, including hospitals and pharmaceutical networks like American Associated Pharmacies, Georgia's Memorial Hospital and Manor, and Idaho's Weiser Memorial Hospital, with individual ransom demands reaching up to $1.3 million.
TRM Labs analysis indicates Embargo is likely a rebranded version of the infamous BlackCat (ALPHV) group, which vanished earlier this year amid suspicions of an exit scam. The groups share identical technical footprints, including the use of Rust programming language, nearly indistinguishable data leak sites, and overlapping cryptocurrency wallet infrastructure. Approximately $18.8 million of Embargo's proceeds remain dormant in wallets—a tactic believed to evade detection or await favorable laundering conditions.
The group employs double-extortion tactics, encrypting systems while threatening to publish stolen data. Funds are laundered through intermediary wallets, high-risk exchanges, and sanctioned platforms like Cryptex.net, with TRM tracing $13.5 million through virtual asset service providers between May and August—including over $1 million via Cryptex alone. Embargo focuses on U.S.-based healthcare, manufacturing, and business services sectors where operational downtime imposes severe costs.
This surge occurs despite a 35% decline in overall ransomware revenue in 2023—the first drop since 2022 per Chainalysis. In response, the UK government is preparing to ban ransomware payments for all public sector entities and critical national infrastructure operators (including healthcare and energy), while mandating attack reporting within 72 hours and full documentation within 28 days.