Embargo Ransomware
Embargo Ransomware is a ransomware family tracked in MITRE ATT&CK as software S1247 and referenced in reporting as being used by the financially motivated e-crime actor Blockade Spider; ATT&CK v18 also associates it with group G1053 (Storm-0501). Reporting in the provided content states that Blockade Spider has used Embargo ransomware since at least April 2024, alongside data theft to monetize operations. The group is described as using cross-domain techniques in ransomware campaigns and targeting cloud and virtualized environments. CrowdStrike published a profile on BLOCKADE SPIDER describing attacks involving Embargo ransomware. Financial reporting in the content states that Embargo Ransomware netted $34.2 million in cryptocurrency since April 2024. High-confidence capabilities and behaviors directly mentioned in the content are ransomware deployment, associated data theft/extortion activity, and use in campaigns against cloud and virtualized environments. No specific infection vector, platform-specific technical details, or concrete IOCs are provided in the supplied content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A financially motivated threat actor known as Blockade Spider has been attributed to using cross-domain techniques in its ransomware campaigns since at least April 2024. The e-crime group uses Embargo ransomware and data theft to monetize their operations.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 technique“T1679: Selective Exclusion captures them carefully avoiding .dll, .exe, and critical system files during encryption to keep systems functional enough to display ransom notes.”
Discovery
1 technique“T1518.002: Software Discovery: Backup Software Discovery formalizes how ransomware operators hunt down Veeam, Acronis, Paragon, and other backup tools before launching attacks.”
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Embargo ransomware is used by the Blockade Spider group to encrypt files and extort victims, often targeting cloud and virtualized environments.
Embargo is a ransomware strain used by the BLOCKADE SPIDER e-crime group to encrypt victim data and demand ransom payments.
Ransomware family referenced in ATT&CK v18 CTI updates as associated with Storm-0501.
Ransomware that encrypts files and demands payment, reportedly netting significant cryptocurrency payments since April 2024.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.