Ransomware group Embargo has pulled in at least $34.2 million in various tokens since its emergence in April 2024, according to TRM Labs.
The blockchain analytics firm says the ransomware group's infrastructure and coding overlaps suggests it may be a likely rebranding of the defunct BlackCat (ALPHV) operation.
The group operates a ransomware-as-a-service model, providing affiliates with tooling while controlling the infrastructure and negotiations. U.S. healthcare, manufacturing, and business services have been primary targets as sectors where downtime is costly and ransom leverage is high.
Demands have reached $1.3 million, with victims including American Associated Pharmacies and multiple regional hospitals.
In its Monday report, TRM traced on-chain links between historical BlackCat wallets and addresses tied to Embargo victims, alongside off-chain similarities such as Rust-based ransomware builds and near-identical data leak sites. Affiliates appear to operate fluidly between campaigns, a common RaaS pattern.
Funds are typically moved through intermediary wallets into high-risk exchanges and sanctioned platforms like Cryptex.net, bypassing heavy reliance on mixers. Roughly $13 million has reached global VASPs, while $18.8 million sits idle in unattributed wallets — likely to slow detection and await more favorable movement conditions.
Embargo employs double extortion, combining file encryption with data theft and public leak threats. TRM believes the group may be experimenting with AI to scale phishing campaigns, mutate payloads, and speed reconnaissance — tactics increasingly common among ransomware operators.
The targeting bias toward U.S. healthcare mirrors a broader shift in ransomware strategy: hit services where operational disruption risks spill over into public safety, increasing the pressure to pay quickly.
If Embargo is indeed BlackCat under a new name, it would mark yet another high-profile ransomware pivot designed to preserve affiliate networks and payment channels while evading law enforcement focus, keeping crypto as the core rail for ransom settlement and laundering.
Read more: Ransomware Payments Fell 35% in 2024 as More Victims Refuse to Pay: Chainalysis
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
