Intelligence gathered by gardaí following the 2021 HSE cyberattack has led directly to the dismantling of an international cybercrime crime gang by US authorities.
The Garda National Cyber Crime Bureau played a central role in the “major disruption” operation which took down the critical infrastructure of the BlackSuit Ransomware Group.
The group is responsible for extorting over €300 million in ransom payments since 2022 from victims who were the targets of ransomware attacks.
The BlackSuit gang is a successor to the Conti ransomware group which demanded a ransom from the Irish Government after locking down the systems of the HSE during the Covid-19 pandemic in May 2021.
The incident, which was the largest attack on a health system in history, shut down thousands of systems across the country and cost almost €55 million to repair.
In the months after the attack, specialist gardaí gathered large amounts of intelligence on the Conti gang’s operations and tactics which were shared with international partners.
“This information directly led to the American-led operation,” said a source.
According to a Garda statement, the operation targeted an international group said to be responsible for “serious ransomware attacks” globally and was led by the US Immigration and Customs Enforcement (Ice).
It resulted in the seizure and takedown of operational infrastructure used by the BlackSuit group, which was described as a “major cybercriminal operation” by Ice.
This infrastructure included servers, domains and digital assets used to deploy ransomware, extort victims and launder proceeds, An Garda Síochána said.
Among them was a dark web leaks page, a website maintained on the darknet where the data of victims who refuse to pay a ransom is published.
A victim negotiation site, used by ransomware gangs to communicate with victims and arrange the payment of ransoms, was also taken down.
The BlackSuit ransomware group is an organised crime group responsible for the commission of ransomware and “other serious cyber criminality internationally”, the Garda said.
It emerged in 2023 as a result of the rebranding of the Royal Ransomware Group, which originated from the Conti Ransomware Group. This group was “responsible for a number of serious ransomware attacks internationally”, according to the Garda.
Since 2022, the Royal and BlackSuit ransomware groups have compromised more than 450 known victims in the US, “including entities in the healthcare, education, public safety, energy and government sectors”, Ice’s homeland security investigations said.
“Combined, the groups have received more than $370 million (€317.2 million) in ransom payments, based on present-day valuations of cryptocurrency,” it said.
“The case is being prosecuted by the US Attorney’s Office for the Eastern District of Virginia, which continues to collaborate with international partners to pursue legal accountability for those involved in the Royal and BlackSuit campaigns,” it added.
Other agencies involved in the operation include the US Department of Homeland Security, the US Secret Service, Europol, Dutch police, German police, the UK National Crime Agency and the Ukrainian Cyber Police. They were assisted by “private partners”, a Garda spokesperson said.
Angela Willis, assistant commissioner for organised and serious crime, said An Garda Síochána will continue to work with international partners to “identify, target and disrupt” organised crime groups involved in cybercrime.
“Our work to date involving close collaboration with international partners, including this seizure and takedown of key online operational infrastructure, will continue as part of our ongoing effort to keep people safe both on and offline,” she said.
