Embargo Ransomware Group Disrupts American Associated Pharmacies

Published on
November 18, 2024

The Embargo ransomware group claimed the Scottsboro, AL-based pharmacy chain American Associated Pharmacies as a victim. Embargo alleged it stole 1.5 TB of data before encrypting systems and demanded $1.3 million for decryption keys, which the pharmacy reportedly paid.  

However, the group is demanding an additional $1.3 million to prevent the publication of the stolen data, doubling the average ransom demand, HIPAA Journal reports.  

The pharmacy chain has not confirmed the attack but has reset passwords and restored limited ordering capabilities on its websites, suggesting a response to the breach. This attack follows incidents involving Memorial Hospital and Manor in Georgia and Weiser Memorial Hospital in Idaho.  

Memorial Hospital and Manor suffered an attack on November 1, 2024, which disrupted email and electronic medical records. Embargo claims to have stolen 1.15 TB of data from the facility. At Weiser Memorial Hospital, the group reportedly stole 200 GB of data, which has since been leaked online.  

Embargo’s strategy involves double extortion, leveraging custom tools to evade defenses, steal data, and encrypt systems. These incidents highlight Embargo's aggressive expansion and its focus on high-profile healthcare and critical infrastructure targets.  

Investigations into the extent of patient data exposure are ongoing.

Takeaway: Embargo is a relatively new ransomware group that emerged in June 2024, operating under a ransomware-as-a-service (RaaS) model. The group has quickly gained attention for its sophisticated techniques and high-profile attacks.

As a RaaS provider, Embargo develops and maintains the ransomware while affiliates, such as the financially motivated cybercriminal group Storm-0501, execute attacks and share a portion of the ransom payments.  

Developed in Rust, a programming language known for its efficiency and security, Embargo ransomware employs advanced encryption methods, including the ChaCha20 and Curve25519 algorithms, to secure its hold on victims' data.  

Files encrypted by this ransomware are typically marked with the ".564ba1" extension, making them easily identifiable. In addition to encryption, Embargo utilizes customized tools to disable security solutions.  

Notably, the group deploys MDeployer, a specialized loader, and MS4Killer, an endpoint detection and response (EDR) killer. These tools are tailored to the specific environment of each victim, allowing Embargo to bypass defenses with remarkable precision.

Embargo employs a double-extortion strategy, exfiltrating sensitive data before encrypting it. Victims are pressured to pay not only to regain access to their data but also to prevent the public release or sale of stolen information.  

In recent campaigns, the group has expanded its focus to hybrid cloud environments, compromising both on-premises and cloud resources. This approach allows for lateral movement within networks, leading to extensive data exfiltration, credential theft, and ransomware deployment.

The group's activities have already left a trail of high-profile incidents. Embargo affiliates have targeted the healthcare sector, including Memorial Hospital and Manor in Georgia, Weiser Memorial Hospital in Idaho, and American Associated Pharmacies, a network of over 2,000 independent pharmacies across the United States.  

One particularly notable incident occurred in August 2024 when the American Radio Relay League (ARRL) was attacked, resulting in a ransom payment of $1 million for a decryption tool.

Embargo’s rapid rise and the sophistication of its operations underscore the evolving threat landscape posed by modern ransomware groups. With its targeted approach and ability to adapt to hybrid cloud environments, the group represents a significant challenge to organizations across various sectors.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.