[ad_1]
Fraud Management & Cybercrime
,
Ransomware
Operation Checkmate Disrupts One of the Large Russian-Speaking Ransomware Groups
An international law enforcement operation disrupted BlackSuit, a ransomware group tied to hundreds of victims and ransom demands that exceeded half a billion dollars.
The U.S. Department of Homeland Security Investigations on Thursday seized the group’s dark web data-leak blog and negotiation sites, which now resolve to a takedown notice.
Codenamed Operation Checkmate, the crackdown involved over a dozen law enforcement agencies, including the FBI and U.S. Department of Justice, as well as Britain’s National Crime Agency and Cyber Police of Ukraine, backed by assistance from law enforcement intelligence agency Europol.
BlackSuit typically demanded between $1 million and $10 million – but in one case $60 million – to be paid in Bitcoin, from each new victim, warned an August 2024 joint alert from the FBI and CISA. The federal government tied the group to more than $500 million in known ransom demands.
Security firm Bitdefender, which said it supported the operation by sharing threat intelligence, noted that BlackSuit first appeared in the summer of 2023. The threat actor listed more than 185 non-paying victims on its data-leak site. Even if a victim paid a ransom, that didn’t mean the criminals kept their promises. “In late 2024, the group leaked the data of a known victim after receiving a ransom payment of nearly $3 million,” it said.
The disruption of BlackSuit may have caught the group’s leadership out as it attempted to rebrand as Chaos ransomware, which has been tied targeting larger victims with crypto-locking malware in pursuit of bigger ransom payments.
Cisco Talos, in a Thursday report, assessed “with moderate confidence” that Chaos, which first appeared in February, was “formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure and the toolset used in the attacks.”
Specific tactics, techniques and procedures tied to the group’s affiliates include “low-effort spam flooding, escalating to voice-based social engineering for access,” followed by attackers installing remote monitoring and management tools, designed for legitimate monitoring and managing of clients by IT teams, to maintain remote access to infiltrated networks and exfiltrate data, it said.
Royal operated from January 2023 to July 2023, before rebranding as BlackSuit, which appears to have begun operations by May 2023, Bitdefender said. Royal itself spun off from the notorious Russian-speaking Conti group, first as a group called Quantum, said Yelisey Boguslavskiy, a partner at threat intelligence firm RedSense (see: Conti’s Legacy: What’s Become of Ransomware’s Most Wanted?).
Conti’s downfall came from its hubris. The group’s leadership publicly backed Russian President Vladimir Putin’s war of conquest against Ukraine, causing ransomware payments to the group dried up from corporations nervous about violating sanctions against the Kremlin. Conti spun off multiple entities, using an attack against Costa Rica as cover to suggest that the group remained a going concern, even while the new organizations refined their operations.
Since then, the leadership of Royal and then BlackSuit appear to have opted for a less-is-more publicity approach, at least based on their paucity of the public-facing profile. “They’ve taken the lessons learned from the Conti leak and operate in a more discrete manner to reduce the odds of future leaks,” Bitdefender said.
In particular, the group remains private, rather than operating as a ransomware-as-a-service group that uses affiliated business partners to launch attacks, it said.
This focus on operational security may have paid dividends. Boguslavskiy said in a post to LinkedIn that BlackSuit appears to have been “the largest Russian-speaking ransomware collective, besides DragonForce,” although to have largely abandoned its brand since January, owing to the group being tied to Conti. He said the group appears to have largely been using INC ransomware in its attacks, plus “allied syndicates such as Lynx and Akira,” although since May appeared to be prepping to rebrand BlackSuit.
Boguslavskiy said the rebrand may not proceed as planned, thanks to Operation Checkmate, which has at least paused the group’s operations. “Primary sources suggest that this was placed on hold by the takedown, which brought too much attention to the group, and, specifically, to its Chaos venture,” he said. “Therefore, for now, we will likely be seeing one of the largest Russian-speaking ransomware collectives operating from the shadows, which is definitely a unique case for the ransomware landscape.”
[ad_2]
