How crypto ransomware operate: the tactics of the Embargo and BlackCat groups

In 2024, the world first learned about the Embargo crypto ransomware gang. As it became known, the group was previously called BlackCat, but decided to undergo a “rebranding.” In addition to changing their name, the extortionists modified their methods and learned new techniques. GetBlock AML Research reveals the tactics of the most successful crypto ransomware group.

The connection between Embargo and BlackCat

TRM Labs has identified several factors that indicate that Embargo and BlackCat are one and the same group:

• they write viruses in the same Rust programming language;
• they have similar websites with data leaks;
• they use some of the same crypto wallets

Embargo launders the cryptocurrency it receives through a chain of intermediate wallets, risky exchanges, and prohibited services such as Cryptex.net. Approximately $18,8 million lies dormant in anonymous wallets — this is one way to cover their tracks and distract law enforcement from financial flows.

Visualization: TRM Labs

Connection between Embargo and BlackCat wallets

Judging by their technical level, Embargo may use artificial intelligence and machine learning to scale attacks, create more plausible phishing emails, modify virus code, and speed up operations.

What does cryptocurrency have to do with it

Cryptocurrency is a key tool for extortion groups: it allows them to receive money anonymously and transfer it across borders. They most often use Bitcoin, but some prefer Monero (XLM) because it better hides transactions. Despite the fact that the police are increasingly tracking crypto payments, such groups are constantly coming up with new ways to avoid surveillance.

Embargo’s operating model

Embargo is known for its sophisticated and targeted attacks using the RaaS (Ransomware-as-a-Service) model. This means that they provide their “partners” with tools for attacks, and they give them a share of the ransom. At the same time, Embargo maintains complete control over the main infrastructure and negotiations with victims. This scheme allows them to quickly expand their activities and attack different industries and countries.

“Quiet” style

Unlike high-profile groups such as LockBit or Cl0p, Embargo operates more quietly. They use powerful and aggressive software, but avoid excessive publicity and open threats to victims. This makes them harder to track and less likely to be covered in the media.

Hack the ransomware: how the Lockbit group was hacked and 60 000 addresses were leaked

Anonymous from Prague published information about 75 partners of extortionists in the public domain

Read more

Who is being attacked

Embargo most often targets:

• medical organizations,
• service companies,
• manufacturing enterprises.

The choice is explained by the fact that such organizations cannot afford downtime and are willing to pay faster. Attacks on medical organizations are particularly dangerous, as they can directly affect patients’ lives.

Geographically, the main target is the United States, but attacks have also been recorded in Europe and Asia.

Pressure on victims

Embargo has a website where it publishes the details of those who have refused to pay. Sometimes they even post names and personal information to increase the pressure.

In addition, they use double extortion:

• they encrypt files,
• steal data, and then threaten to leak or sell it.

This creates not only financial losses, but also reputational and legal problems.

Cryptocurrency laundering

On-chain analysis of Embargo wallets reveals their methods of laundering cryptocurrency obtained from victims. The group uses:

• CEX and DEX exchanges;
• services for anonymous transfers;
• mixers and P2P platforms;
• Cryptex.net.

The total amount that Embargo laundered through exchanges is about $13,5 million, and more than $1 million passed through Cryptex.net.

Visualization: TRM Labs

On-chain connection between Embargo wallets and Cryptex

Embargo rarely uses mixers like Wasabi. More often, they simply move cryptocurrency through a chain of intermediate wallets and then deposit it on exchanges.

Visualization: TRM Labs

On-chain connection between Embargo wallets and Wasabi

Embargo uses AI

Embargo can use AI and machine learning to:

• automatically search for victims and vulnerabilities;
• create more convincing emails with viruses;
• generate fake videos and audio (deepfakes);
• write and modify malicious code that antivirus programs cannot detect.