The hacker group Embargo, operating under a “ransomware as a service” (RaaS) model, has obtained at least $34.2 million in cryptocurrencies since April 2024 through attacks on companies, primarily in the U.S. Among the victims are American Associated Pharmacies, Memorial Hospital and Manor, as well as Weiser Memorial Hospital. Individual ransoms reached up to $1.3 million.
This is reported by Business • Media
Features of Embargo’s Operations and Attack Targets
Experts suggest that Embargo may be a successor or rebranding of the BlackCat (ALPHV) group. This theory is based on shared technical characteristics: the use of the Rust programming language, similar website designs for publishing stolen data, and some overlaps in the use of cryptocurrency wallets.
Embargo provides affiliated hackers with tools to carry out attacks, taking a share of the ransom while maintaining control over key elements of the operation — infrastructure and negotiations with victims. The group avoids aggressive publicity, allowing it to remain under the radar of law enforcement for longer.
The primary targets of Embargo are companies in the healthcare, business services, and manufacturing sectors. The choice of such organizations is linked to their willingness to pay significant ransom amounts.
Attack Tactics and Innovations in the Group’s Operations
Hackers infiltrate corporate networks through unpatched vulnerabilities, phishing emails, or compromised websites. After that, they disable security systems and delete backups before encrypting data.
Embargo employs a “double extortion” tactic: in addition to encrypting data, the group steals confidential information and blackmails the victim with threats to publish or sell it on the dark web. Additional pressure is created by publishing the names of employees from the attacked organizations.
“Since April 2024, the group of criminals Embargo, operating under the ‘ransomware as a service’ (RaaS) model, has obtained approximately $34.2 million in cryptocurrencies from victims. Among them are American Associated Pharmacies, Memorial Hospital and Manor, and Weiser Memorial Hospital. Some ransoms reached $1.3 million.”
According to analysts, the ransoms obtained by Embargo are processed through intermediary wallets, risky exchanges, and sanctioned platforms, such as Cryptex.net. As of August 2025, approximately $18.8 million remains “frozen” at unknown addresses, likely to complicate the tracking of funds.
Experts believe that Embargo may use artificial intelligence and machine learning to scale attacks, create more realistic phishing messages, automatically modify malware, and expedite operations. At the same time, modern companies are also using such technologies to detect anomalous activity and automatically block suspicious processes.
Despite predominantly financial motivations, in a number of incidents, Embargo has demonstrated political messages, which may indicate potential ties to state structures.
Analysts emphasize that understanding the tactics and strategies of Embargo is critically important for enhancing the cybersecurity of organizations, as modern ransomware operations are becoming increasingly complex and adapting to new conditions to avoid detection.
It is worth noting that in the first half of 2025, the crypto industry lost $2.1 billion due to hacker breaches.