Embargo ransomware gang has handled at least $34 million in about a year, report says

A cybercrime group that could be a successor to the BlackCat/Alphv ransomware operation is associated with about $34.2 million in cryptocurrency transactions since popping up in mid-2024, researchers said Friday.

Blockchain intelligence company TRM Labs said the Embargo ransomware gang appears to be “well resourced and technically capable,” and its activity over such a short span underscores “the group’s growing financial footprint in the ransomware ecosystem.” 

Embargo started to draw scrutiny in late 2024, just a few months after BlackCat’s leaders appeared to conduct an exit scam on affiliates. Echoing other companies, TRM said the gang “may be a rebranded or successor operation to BlackCat (ALPHV) based on multiple technical and behavioral similarities,” including the infrastructure of its crypto wallets.

Like BlackCat, Embargo is a ransomware-as-a-service operation, providing affiliates with the tools they need to conduct attacks while taking a cut of any proceeds. 

Embargo, however, “retains control over core operations — including infrastructure and payment negotiations,” TRM Labs said. “This model enables threat actors to rapidly scale their operations and target a broad range of sectors and geographies.”

Healthcare, business services and manufacturing companies are primary targets. Ransom demands have been as high as $1.3 million, and Embargo is a “highly advanced and aggressive ransomware,” TRM Labs said. The group claimed attacks on a Georgia hospital in November 2024 and a California health system in April 2024. 

For now, Embargo isn’t as prolific as groups such as LockBit, Akira or Clop, TRM Labs said. It generally retains a low profile, and “avoids the overt branding and high-visibility tactics of more prominent ransomware groups, such as triple extortion and victim harassment.”