Paul Johnson A rising ransomware threat known as Embargo has rapidly emerged as a significant force in the cybercrime world, laundering more than $34 million in cryptocurrency-linked ransom payments since April 2024, according to blockchain intelligence firm TRM Labs.
Operating under the ransomware-as-a-service (RaaS) model, Embargo has struck critical U.S. infrastructure, including hospitals and pharmaceutical networks. Confirmed victims include American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho — with ransom demands reaching as high as $1.3 million per incident.
Cybersecurity analysts believe Embargo may be a rebranded version of BlackCat (ALPHV), a notorious ransomware syndicate that vanished earlier this year amid allegations of an exit scam. Both operations use the Rust programming language, run similar data leak sites, and show onchain wallet overlaps.
Around $18.8 million of Embargo’s takings remain dormant in unaffiliated wallets — a possible strategy to avoid detection or await better laundering opportunities. The group’s laundering network spans intermediary wallets, high-risk exchanges, and sanctioned platforms such as Cryptex.net. From May to August, TRM Labs tracked at least $13.5 million moved through virtual asset service providers, including more than $1 million via Cryptex alone.
While not as prolific as LockBit or Cl0p, Embargo employs double extortion — encrypting victim systems and threatening to leak sensitive data if payments are withheld. In some cases, the group has publicly named individuals or posted stolen files online to increase pressure.
Embargo’s focus remains on sectors where downtime is costly, particularly healthcare, business services, and manufacturing, with a notable preference for U.S.-based targets — likely due to higher payment capacity.
UK Moves to Outlaw Public Sector Ransomware Payments
In related policy news, the UK government is preparing to ban all public sector and critical infrastructure operators — including energy, healthcare, and local councils — from paying ransoms. The proposal would also require private-sector victims to report any planned ransom payments, with an initial 72-hour notice and a detailed follow-up within 28 days.
According to Chainalysis, ransomware attacks dropped 35% last year, marking the first decline in revenues since 2022 — but the Embargo case shows the threat remains far from over.
