Blockchain analysts have investigated how Embargo, a relatively new yet already successful ransomware group, operates. They suggest that it might be a rebranded or successor operation to the BlackCat group.
Analysts at TRM Labs, a blockchain analysis company, have tied around $34 million in incoming volume to Embargo, a ransomware-as-a-service (RaaS) group.
The research has shown that the criminals behind the group avoid overt branding and high-visibility tactics, helping them evade law enforcement and media attention. They also use sophisticated off-chain tactics in targeted ransomware campaigns. The researchers said they have found links between Embargo and the now-defunct ransomware group BlackCat.
To evade defenses and maximize the impact of their targeted campaigns, the group usually exploits unpatched software vulnerabilities and uses social engineering to gain initial access.
"Once inside a network, Embargo uses a two-part toolkit to disable security tools and remove recovery options before encrypting files," TRM Labs said, adding that victims are then forced to communicate through Embargo-controlled infrastructure, which gives the criminals more control and helps cover their tracks.
What's more, they also publish lists of victims who haven’t paid ransoms, sometimes even releasing sensitive data to pressure victims into payment.
After encrypting stolen files and exfiltrating sensitive data, Embargo threatens to leak the data or sell it on the dark web if victims refuse to pay.
What's more, the criminals are leveraging AI to enhance their operations.
"Technologies like AI and machine learning (ML) allow ransomware operators to automate key phases of an attack, including reconnaissance, phishing, malware generation, and negotiation processes," the researchers explained.
Also, while this RaaS group helps others target victims in exchange for a share of the ransom proceeds, Embargo retains control over core operations, including infrastructure and payment negotiations, TRM Labs said.
The research has shown that the group mostly focuses on healthcare, business services, and manufacturing organizations, "likely due to their high up-time requirements and sensitivity to operational disruption." Most of the attacks have been in the US, though organizations in Europe and Asia have also been targeted.
Meanwhile, stolen funds are laundered via intermediary crypto wallets, high-risk exchanges, and sanctioned platforms such as Cryptex.net, TRM Labs said. According to them, around $19 million remains dormant in unattributed wallets, which might be an attempt to cover their tracks.
Your email address will not be published. Required fields are markedmarked