Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Embargo Ransomware nets $34.2M in crypto since April 2024

Embargo ransomware, likely a BlackCat/Alphv successor, has netted $34.2M in crypto since mid-2024, researchers say. The Embargo ransomware group has processed $34.2M in crypto since emerging in April 2024, researchers from Blockchain intelligence company TRM Labs report. “TRM Labs has identified approximately USD 34.2 million in incoming transaction volume likely associated with the group, with […]

Embargo ransomware

Embargo ransomware, likely a BlackCat/Alphv successor, has netted $34.2M in crypto since mid-2024, researchers say.

The Embargo ransomware group has processed $34.2M in crypto since emerging in April 2024, researchers from Blockchain intelligence company TRM Labs report.

“TRM Labs has identified approximately USD 34.2 million in incoming transaction volume likely associated with the group, with most victims located in the United States (US) in the healthcare, business services, and manufacturing sectors.” reads the report published by TRM Labs.

The RaaS mainly targeted US healthcare, business services, and manufacturing. Victims include American Associated Pharmacies, Memorial Hospital and Manor (GA), and Weiser Memorial Hospital (ID), with ransom demands up to $1.3M.

TRM believes the Embergo ransomware group may be a BlackCat/Alphv successor based on multiple technical and behavioral similarities, including using the Rust programming language, a similarly designed data leak site, and on-chain overlaps via shared wallet infrastructure.

“Although not as prolific as groups like LockBit, Akira, or Cl0p, TRM assesses that Embargo is likely well resourced and technically capable — potentially drawing on the expertise or codebases of previous threat actors.” continues the report.

The researchers observed the group laundering ransom proceeds through intermediary wallets, high-risk exchanges, and sanctioned platforms such as Cryptex.net.

The experts also discovered approximately USD 18.8 million that remains dormant in unattributed wallets, suggesting a deliberate evasion tactic.

Embargo may be using AI and ML to scale attacks, create convincing phishing lures, adapt malware, and speed up its operations.

Embargo, though financially driven, has used politically charged messages, hinting at possible links with states. It mainly targets healthcare, business services, and manufacturing for maximum disruption, often in the US but also in Europe and Asia. Healthcare attacks risk patient care, reflecting a trend of exploiting critical services for leverage.

Embargo exploits unpatched flaws or uses phishing as initial access vectors, then disables defenses, removes recovery options, before encrypting the files. It controls negotiations via its infrastructure and runs a leak site to pressure non-paying victims, sometimes naming individuals. Using double extortion, it also threatens to sell or leak stolen data, amplifying financial, reputational, and regulatory risks.

“While AI is accelerating the scale and sophistication of ransomware attacks, it’s also becoming a critical tool in stopping them. Companies are using AI to detect signs of compromise — such as unusual access behavior and file encryption patterns.” concludes the report.

“Effectively countering ransomware threats also requires collaboration between the public and private sectors.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Embargo ransomware)