Since April 2024, the hacker group Embargo, operating under a “ransomware as a service” (RaaS) model, has received approximately $34.2 million in ransom payments in cryptocurrencies from its victims. The primary targets of their attacks have been companies in the United States, including American Associated Pharmacies, Memorial Hospital and Manor, and Weiser Memorial Hospital. Some individual ransoms reached as high as $1.3 million.
This is reported by Finway
Embargo’s Tactics and Main Attack Targets
Embargo is known for providing tools to affiliated hackers in exchange for a share of the ransom received, while retaining control over the infrastructure and negotiations with victims. The group avoids publicity, allowing it to remain undetected by law enforcement for an extended period.
The main targets of Embargo are organizations in the healthcare, business services, and manufacturing sectors, primarily in the United States, where companies are capable of paying significant ransom amounts. The attackers infiltrate networks through unpatched vulnerabilities, phishing emails, or compromised websites, after which they disable security systems and destroy backups before encrypting data.
Evolution of Cybercrime and Suspicions of Political Motivation
Embargo employs a “double extortion” strategy: in addition to encrypting data, it steals confidential information and threatens to publish or sell it on the dark web. In some cases, the attackers publicly disclose the names of specific individuals to increase psychological pressure on the victims.
Analysts estimate that Embargo may be a successor or rebranding of the notorious group BlackCat (ALPHV) — indicated by the use of the Rust programming language, similar website designs for leak publications, and overlaps in cryptocurrency wallets.
The ransom received by Embargo passes through a series of intermediary wallets, risky cryptocurrency exchanges, and sanctioned platforms, including Cryptex.net. Approximately $18.8 million is currently blocked on unknown addresses, complicating the tracking of fund movements.
Experts suggest that Embargo utilizes artificial intelligence and machine learning to automate attacks, create sophisticated phishing campaigns, modify malware, and enhance operational efficiency. At the same time, similar technologies are employed by companies to protect their systems — from detecting suspicious activity to automatically blocking threats.
“At TRM Labs, it was emphasized that understanding Embargo’s tactics is critically important for enhancing organizations’ readiness to respond. The group demonstrates that modern ransomware operations are becoming technically more complex, adaptable, and capable of rapidly evolving to avoid detection.”
While Embargo’s primary goal is financial, some attacks exhibit political messages, which may indicate connections to state structures.
Previously, experts calculated that in the first half of 2025, the cryptocurrency industry lost $2.1 billion due to hacker attacks.