A ransomware group going by the name Embargo has extorted roughly $34 million from companies in the United States, with hospitals and healthcare facilities among the top targets, according to research from blockchain intelligence company TRM Labs.
American Associated Pharmacies, Memorial Hospital and Manor in Bainbridge, Georgia, and Weiser Memorial Hospital in Idaho have been among the victims of the group’s ransomware efforts.
Based on technical and behavioral similarities, TRM analysts determined that Embargo is likely a successor, or a rebranded version, of the BlackCat ransomware group. Similarities include use of the Rust programming language, as well as a similarly designed data leak site.
Embargo launders ransom proceeds through intermediary virtual “wallets,” high-risk exchanges, and sanctioned platforms such as Cryptex.net. About $18 million remains dormant in unattributed wallets – a pattern that likely reflects deliberate evasion tactics, analysts found.
The group’s technical sophistication suggests the use of artificial intelligence and machine learning to scale attacks, adapt malware and craft more convincing phishing lures.
WHAT’S THE IMPACT
The group primarily targets organizations in the healthcare, business services, and manufacturing sectors likely due to their “high up-time requirements and sensitivity to operational disruption,” TRM analysts said.
While the group has targeted organizations in Europe and Asia, it disproportionately focuses on U.S. companies, which analysts said is likely due to the perceived ability of U.S.-based outfits to meet higher ransom demands.
Embargo’s “advanced” tactics demonstrate a focus on evasion and maximizing impact, the report found. The group typically gains initial access by exploiting unpatched software vulnerabilities or through social engineering – including phishing emails and drive-by downloads delivered via malicious websites.
Once inside a network, Embargo uses a two-part toolkit to disable security tools and remove recovery options before encrypting files. It then directs victims to communicate through Embargo-controlled infrastructure – a tactic that allows the group to retain control over negotiations and reduce exposure.
To increase leverage, Embargo maintains a data leak site where it lists victims that haven’t paid ransoms. In some cases, the group explicitly names individuals and publicly releases sensitive data to pressure victims into payment.
The group also uses double extortion to pressure its victims, encrypting files while also exfiltrating sensitive data. The group then threatens to leak the data or sell it on the dark web if victims refuse to pay, compounding the financial damage with reputational and potential regulatory consequences.
THE LARGER TREND
A surge in cyberattacks, particularly in 2023, contributed to a steep rise in cyberattack costs for healthcare organizations last year, with the average breach cost nearing $11 million – more than three times the global average – making healthcare the costliest sector for cyberattacks, according to a KnowBe4 report.
Ransomware attacks have dominated, accounting for over 70% of successful cyberattacks on healthcare organizations in the past two years.
Phishing and social engineering tactics are the primary methods used to initiate the majority of cyberattacks, with estimates suggesting that 79% to 91% of attacks begin this way.
The report noted employees in large healthcare organizations have a 51.4% likelihood of falling victim to phishing emails, giving cybercriminals a better-than-even chance of successfully breaching these institutions.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.