A relatively new ransomware group known as Embargo has become a key player in the cybercrime underground, moving over $34 million in crypto-linked ransom payments since April 2024.

Operating under a ransomware-as-a-service (RaaS) model, Embargo has hit critical infrastructure across the United States, with targets including hospitals and pharmaceutical networks, according to blockchain intelligence firm TRM Labs.

Victims include American Associated Pharmacies, Georgia-based Memorial Hospital and Manor, and Weiser Memorial Hospital in Idaho. Ransom demands have reportedly reached up to $1.3 million.

TRM’s investigation suggests Embargo may be a rebranded version of the infamous BlackCat (ALPHV) operation, which disappeared following a suspected exit scam earlier this year. The two groups share technical overlap, using the Rust programming language, operating similar data leak sites, and exhibiting onchain ties through shared wallet infrastructure.

TRM’s Graph Visualizer showing a small Embargo wallet cluster with incoming BlackCat (ALPHV) exposure. Source: TRM Labs

Related: US DOJ seizes $24M in crypto from accused Qakbot malware developer

Embargo holds $18.8 million in dormant crypto

Around $18.8 million of Embargo’s crypto proceeds remain dormant in unaffiliated wallets, a tactic experts believe may be designed to delay detection or exploit better laundering conditions in the future.

The group uses a network of intermediary wallets, high-risk exchanges, and sanctioned platforms, including Cryptex.net, to obscure the origin of funds. From May through August, TRM traced at least $13.5 million across various virtual asset service providers and more than $1 million routed through Cryptex alone.

While not as visibly aggressive as LockBit or Cl0p, Embargo has adopted double extortion tactics, encrypting systems and threatening to leak sensitive data if victims fail to pay. In some instances, the group has publicly named individuals or leaked data on its site to increase pressure.

Embargo primarily targets sectors where downtime is costly, including healthcare, business services, and manufacturing, and has shown a preference for US-based victims, likely due to their higher capacity to pay.

Related: Coinbase faces $400M bill after insider phishing attack

UK to ban ransomware payments for public sector

The UK is set to ban ransomware payments for all public sector bodies and critical national infrastructure operators, including energy, healthcare, and local councils. The proposal introduces a prevention regime requiring victims outside the ban to report intended ransom payments.

The plan also includes a mandatory reporting system, with victims required to submit an initial report to the government within 72 hours of an attack and a detailed follow-up within 28 days.