Ransomware group Embargo has pulled in at least $34.2 million in various tokens since its emergence in April 2024, according to TRM Labs.

The blockchain analytics firm says the ransomware group’s infrastructure and coding overlaps suggests it may be a likely rebranding of the defunct BlackCat (ALPHV) operation.

The group operates a ransomware-as-a-service model, providing affiliates with tooling while controlling the infrastructure and negotiations. U.S. healthcare, manufacturing, and business services have been primary targets as sectors where downtime is costly and ransom leverage is high.

Demands have reached $1.3 million, with victims including American Associated Pharmacies and multiple regional hospitals.

In its Monday report, TRM traced on-chain links between historical BlackCat wallets and addresses tied to Embargo victims, alongside off-chain similarities such as Rust-based ransomware builds and near-identical data leak sites. Affiliates appear to operate fluidly between campaigns, a common RaaS pattern.

Funds are typically moved through intermediary wallets into high-risk exchanges and sanctioned platforms like Cryptex.net, bypassing heavy reliance on mixers. Roughly $13 million has reached global VASPs, while $18.8 million sits idle in unattributed wallets — likely to slow detection and await more favorable movement conditions.

Embargo employs double extortion, combining file encryption with data theft and public leak threats. TRM believes the group may be experimenting with AI to scale phishing campaigns, mutate payloads, and speed reconnaissance — tactics increasingly common among ransomware operators.

The targeting bias toward U.S. healthcare mirrors a broader shift in ransomware strategy: hit services where operational disruption risks spill over into public safety, increasing the pressure to pay quickly.

If Embargo is indeed BlackCat under a new name, it would mark yet another high-profile ransomware pivot designed to preserve affiliate networks and payment channels while evading law enforcement focus, keeping crypto as the core rail for ransom settlement and laundering.

Read more: Ransomware Payments Fell 35% in 2024 as More Victims Refuse to Pay: Chainalysis