The Embargo ransomware gang has generated approximately $34.2m in attack proceeds since emerging in April 2024, according to a new analysis by TRM Labs.
The blockchain intelligence platform traced crypto payments from victim addresses to a range of destinations likely associated with the ransomware group.
This included hundreds of deposits worth approximately $13.5m distributed across multiple global virtual asset service providers.
Other funds have been laundered through intermediary wallets, high-risk exchanges and sanctioned platforms such as Cryptex.net.
In total, approximately $18.8m in victim funds remain in unattributed addresses.
The vast distribution of ransom proceeds is likely a deliberate tactic to evade detection by authorities, according to the researchers.
This includes disrupting behavioral patterns or delaying movement of funds until external conditions are more favorable, such as media attention, network fees or liquidity.
TRM Labs also observed that cryptocurrency addresses historically linked to the now defunct BlackCat gang have funneled funds to wallet clusters associated with Embargo victims.
This on-chain overlap reinforces the assessment that Embargo may be a rebranded version of BlackCat, which shutdown in an apparent exit scam in March 2024.
Embargo Adopts Advanced Technical Capabilities
The TRM Labs report, published on August 8, noted that Embargo may be adopting AI and machine learning (ML) to scale attacks, craft more convincing phishing lures, adapt malware and accelerate operations.
This assessment is based on the technical capabilities of the ransomware-as-as-service (RaaS) actor, allowing it to deploy highly advanced and aggressive ransomware.
Embargo typically gains initial access by exploiting unpatched software vulnerabilities or through social engineering. The latter includes phishing emails and drive-by downloads delivered via malicious websites.
Once inside a network, the group demonstrates a clear focus on defense evasion and maximizing impact. It deploys a two-part toolkit to disable security tools and remove recovery options before encrypting files.
Read now: Embargo Ransomware Gang Deploys Customized Defense Evasion Tools
Following encryption, victims are directed to communicate through Embargo-controlled infrastructure. This enables the group to retain control over negotiations and reduce exposure.
It uses double-extortion tactics in negotiations, threatening to leak or sell exfiltrated data if the victim refuses to pay.
Embargo maintains a data leak site where it lists organizations, and sometimes the names of individual executives, who refuse to pay.
Embargo also avoids overt branding and high-visibility tactics of other more prominent ransomware groups, such as LockBit and Akira.
“This operational restraint has likely helped Embargo evade law enforcement detection and reduced media attention,” the TRM Labs researchers noted.
The group’s RaaS model allows affiliates to use its tools to conduct attacks in exchange for a share in proceeds. However, Embargo retains control over core operations, including technical infrastructure and payment negotiations.
As with BlackCat, the ransomware deployed by Embargo is in the Rust programming language, enabling cross-platform compatibility and enhanced obfuscation.
Additionally, Embargo’s data leak site closely resembles BlackCat’s in both visual design and underlying functionality and content structure, the researchers noted.
Possible Nation State Alignment
While Embargo is primarily financially motivated, several incidents have featured politically charged messages and ideological references, suggesting possible nation-state alignment.
“This potential overlap complicates attribution and reflects a broader trend of financially motivated actors engaging in politically themed campaigns. Furthermore, nation-state actors almost certainly leverage cybercriminal groups as proxies to advance strategic or financial objectives while maintaining plausible deniability,” the researchers wrote.
The group disproportionately targets US-based organizations, with a particular focus on healthcare, business services and manufacturing sectors.
This is likely due to the sensitivity to operational disruption in these sectors.
Ransom demands issued by the group have been observed to be as high as $1.3m.