Embargo ransomware hackers linked to the "escaped" BlackCat group

# Ransomware hackers Embargo linked to the "fleeing" group BlackCat

The Embargo ransomware group has become one of the key shadow players in the RaaS sector. Since April 2024, hackers have received more than $34 million in cryptocurrency as ransom payments, according to a report by TRM Labs.

According to researchers, the group provides criminals with tools to carry out attacks in exchange for a share of the ransom revenue. Meanwhile, Embargo maintains control over the main operations, including infrastructure manipulation and payment negotiations.

"Embargo uses high-tech and aggressive ransomware. However, they avoid branding and do not use attention-grabbing tactics like other well-known groups such as triple extortion and targeting victims. Such restraint has likely helped them avoid detection by law enforcement and reduce media attention," said TRM Labs.

Cybercriminals often target organizations in the healthcare, business services, and manufacturing sectors, for which downtime is costly.

Among the known victims are the American Associated Pharmacies network, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho. The total ransom demands against them reached $1.3 million.

Typically, Embargo gains initial access by exploiting unprotected software vulnerabilities, social engineering, as well as phishing emails and malicious websites.

Connection with BlackCat

Analysts at TRM Labs suggest that Embargo may be the rebranded group BlackCat, which distributed the ransomware ALPHV.

In 2024, hackers announced the closure of the project because the FBI allegedly seized their infrastructure. However, law enforcement did not confirm this information. Rumors of a possible exit scam then emerged, and one of the participants accused team members of stealing $22 million from the ransoms received.

Researchers identified common technical aspects of the groups: they use the Rust programming language, manage similar data leak websites, and demonstrate on-chain connections through wallet clusters.

Connection between Embargo and BlackCat wallets. Source: TRM Labs. Embargo uses a network of intermediary addresses, high-risk exchanges, and sanctioned platforms, including Cryptex.net, to obscure the origin of funds. In this process, hackers do not often use cryptomixers and cross-chain bridges.

Researchers identified about $18.8 million in criminal proceeds of the group, which have been stagnant for a long time. This tactic likely attracts less attention to their activities.

In July 2025, a former employee of the company DigitalMint, which assists victims of ransomware, was suspected of colluding with hackers.