Key Highlights:

• The ransomware operation known as Embargo has amassed over $34 million since its debut in April 2024, potentially indicating it is a reincarnation of the closed BlackCat operation.
• Embargo seems to target U.S. industries including healthcare and manufacturing, demanding ransoms as high as $1.3 million.
• The group combines double extortion strategies with possible use of AI to improve phishing techniques and reconnaissance efforts.

Overview:

Embargo began operations in April 2024 and has reportedly generated significant revenue, suggesting ties to the defunct BlackCat (ALPHV) group. TRM Labs noted that both their infrastructure and coding suggest similarities, prompting speculation about a rebrand.

In its latest report, TRM identified traces connecting older BlackCat wallets to those of Embargo’s targets, pointing to a pattern consistent with Ransomware-as-a-Service (RaaS) operations. The group is known to pressure victims, particularly in sectors where downtime incurs heavy costs.

Approximately $13 million has been moved to global Virtual Asset Service Providers (VASPs), while about $18.8 million appears to be dormant in wallets with unclear ownership, likely aiming to avoid detection until suitable movement conditions arise.

The group employs double extortion, encrypting files as well as threatening to leak data, and might be experimenting with AI capabilities to expand their phishing schemes.