A new ransomware gang on the block, Embargo, has quietly built a multi-million-dollar cybercrime empire since first appearing in April 2024 and they’re hitting some of the most sensitive sectors imaginable.
According to fresh research from TRM Labs, the group has already stolen $34.2 million from victims across healthcare, business services, and manufacturing. Most of their targets are in the U.S., and ransom demands have reached as high as $1.3 million per attack.
Notable victims include:
- American Associated Pharmacies
- Memorial Hospital and Manor (Georgia)
- Weiser Memorial Hospital (Idaho)
Investigators also found roughly $18.8 million from victims sitting dormant in crypto wallets untouched, possibly waiting for the heat to die down.
A Familiar Shadow: BlackCat’s Possible Comeback
TRM Labs suspects that Embargo isn’t exactly new it may be a rebranded version of the notorious BlackCat (ALPHV) ransomware group, which vanished in 2024 after what looked like an exit scam.
Why the suspicion?
- Both use the Rust programming language.
- Their data leak sites look almost identical.
- On-chain analysis shows crypto tied to BlackCat flowing into Embargo-linked wallets.
If true, this would mean Embargo’s operators either inherited BlackCat’s assets or evolved from the group, continuing the operation under a fresh brand.
Ransomware-as-a-Service, But With a Twist
Embargo runs a ransomware-as-a-service (RaaS) model they provide the malware tools to affiliates, but keep tight control over negotiations and core operations. This setup lets them scale quickly across sectors and borders, without losing grip on the money flow.
How Embargo Launders Millions
The group’s laundering tactics are just as calculated as their attacks:
- Heavy use of sanctioned platforms like Cryptex.net and high-risk exchanges.
- Minimal reliance on crypto mixers — instead, they shuffle funds through multiple wallets before cashing out.
- From May to August 2024, TRM Labs tracked $13.5 million in deposits through various services, including $1M+ through Cryptex.net.
- Occasional use of the Wasabi mixer (just two known deposits).
- Parking funds for long periods to disrupt blockchain tracing or wait for “better” conditions like lower fees or less public attention.
Why Healthcare Is Their Prime Target
Embargo’s most chilling strategy is going after hospitals and medical facilities. By encrypting critical systems and stealing sensitive patient data, they create life-threatening operational disruption making quick ransom payments more likely.
They also use double extortion tactics:
- Encrypt the files.
- Steal the data.
- Threaten to leak or sell it if the victim refuses to pay.
This combo turns a technical problem into a financial, reputational, and regulatory nightmare for victims.
Bottom Line:
Embargo’s rapid rise, technical sophistication, and suspected BlackCat lineage make them one of the most dangerous ransomware operations active today. Their focus on high-stakes sectors like healthcare, combined with advanced laundering tactics, shows they know exactly how to inflict maximum damage and get paid for it.
