- Trending
- Comments
- Latest
A new ransomware group known as Embargo has laundered over $34 million in cryptocurrency from a series of ransomware hospital crypto attacks across the United States, according to blockchain intelligence firm TRM Labs. Believed to be a rebrand of the defunct BlackCat operation, the gang has demanded ransoms of up to $1.3 million, using AI-enhanced tactics to breach systems, encrypt data, and extort victims.
TRM Labs research indicates that Embargo may be a rebrand of the now-defunct BlackCat operation, with high profile ransomware hospital crypto attacks hitting American Associated Pharmacies, Memorial Hospital and Manor in Georgia, and Weiser Memorial Hospital in Idaho.
Operating under a Ransomware as a Service model, Embargo supplies affiliates with powerful attack tools while maintaining centralized control over infrastructure and ransom negotiations.
Unlike LockBit or Cl0p, the group avoids flashy branding, which may help it evade law enforcement while expanding ransomware hospital crypto attacks into healthcare, manufacturing and business services.
Investigators found multiple technical overlaps between Embargo and BlackCat, including the Rust programming language, near identical leak site designs and shared wallet infrastructure.
Historical BlackCat linked wallets have transferred funds to addresses connected to ransomware hospital crypto attacks carried out by Embargo, suggesting operational continuity.
The rise of Embargo comes amid a broader surge in cybercrime. In July 2025 alone, crypto hack losses climbed 27.2% to $142 million, while the first half of 2025 saw $2.2 billion lost across 344 incidents.
Embargo leverages AI and machine learning to automate ransomware hospital crypto attacks, exploiting unpatched vulnerabilities, launching AI-generated phishing campaigns, and using malicious drive-by downloads.
Once inside networks, the group deploys a two-stage toolkit that disables defenses, deletes recovery options, encrypts files and exfiltrates sensitive data. This “double extortion” method pressures hospitals by threatening to leak or sell stolen patient records on the dark web.
Some ransomware hospital crypto attacks carried out by Embargo include politically charged messaging, hinting at potential state affiliations. This combination of ideological and financial motives complicates attribution and follows a trend of financially driven actors adopting political narratives.
Embargo launders its ransom proceeds through intricate networks of intermediary wallets, high risk exchanges, and sanctioned platforms such as Cryptex.net.
TRM Labs traced $13.5 million through various exchanges, with 17 deposits exceeding $1 million sent via Cryptex.net between May and August 2024.
In total, around $18.8 million linked to ransomware hospital crypto attacks remains idle in unknown wallets possibly as part of evasion tactics or internal disputes within the group.
Other recent crypto security incidents include the $44.2 million breach at Indian exchange CoinDCX, tied to North Korea’s Lazarus Group, and a GreedyBear campaign using 150 weaponized Firefox extensions to steal over $1 million.
Copyright © 2025 - The Bit Gazette.
