A newly emerged ransomware operation known as Embargo has stolen more than $34.2 million since April 2024, according to f resh research from blockchain intelligence firm TRM Labs. The group has primarily targeted victims in the healthcare, business services, and manufacturing sectors, with most attacks focused on U.S.-based organizations.
Ransom demands have reportedly reached as high as $1.3 million per incident. High-profile victims include American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho.
Possible BlackCat Rebrand
TRM Labs’ analysis suggests Embargo could be a rebranded version of BlackCat (also known as ALPHV), a ransomware group that collapsed after an apparent exit scam in 2024. Both groups share technical hallmarks, including the use of the Rust programming language and nearly identical data leak site designs.
Blockchain analysis revealed that cryptocurrency tied to historical BlackCat addresses was sent to wallet clusters associated with Embargo victims, pointing to possible continuity in operators or infrastructure.
Like its suspected predecessor, Embargo runs a ransomware-as-a-service model, providing affiliates with attack tools while centralizing control over negotiations and core operations. This structure enables the group to scale quickly and strike across multiple industries.
Sophisticated Laundering Tactics
TRM Labs found that Embargo has employed advanced money-laundering methods to move stolen funds. Between May and August 2024, investigators tracked around $13.5 million in deposits to various virtual asset service providers, including more than $1 million routed through sanctioned platform Cryptex.net.
Rather than heavily relying on mixers, Embargo often layers transactions across multiple wallets before moving funds directly into exchanges. Limited use of privacy tools like the Wasabi mixer has been observed, with only two confirmed deposits. TRM Labs believes the group deliberately “parks” funds at different stages to disrupt tracing efforts or to wait for moments when scrutiny and transaction fees are lower.
Healthcare in the Crosshairs
Healthcare organizations appear to be a priority target for Embargo due to the high operational stakes. Disruptions from ransomware can directly impact patient care, increasing pressure on victims to pay quickly. The group also uses “double extortion” tactics — encrypting files while stealing sensitive data. Refusal to pay can result in threats to leak or sell stolen information on the dark web, adding reputational and regulatory risks to the financial toll.
The Bigger Picture
With nearly $19 million in stolen cryptocurrency still sitting dormant in unattributed wallets, the Embargo ransomware group remains active and well-resourced. If TRM Labs’ theory about its BlackCat origins holds true, the operation represents an evolution of one of the most notorious ransomware brands of recent years, signaling that law enforcement takedowns do not always spell the end for organized cybercrime networks.
