U.S. authorities have announced the successful dismantling of the BlackSuit ransomware operation, a notorious group linked to attacks on more than 450 organizations worldwide.
The operation, led by Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI), involved seizing servers, domains, and digital assets used for deploying ransomware, extorting victims, and laundering illicit profits.
BlackSuit, seen as the successor to the Royal ransomware group, has been active since 2022, targeting critical sectors including healthcare, education, public safety, energy, and government. Victims in the U.S. alone have paid out over $370 million in ransoms, often in cryptocurrency, under threats of data encryption and leaks, a tactic known as double extortion.
The takedown, dubbed Operation Checkmate, was a collaborative effort with international partners, including the FBI, Europol, and law enforcement from the UK, Germany, Ireland, Ukraine, Lithuania, France, and Canada.
“Disrupting ransomware infrastructure is not only about taking down servers, it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. He emphasized the role of international coordination in holding these actors accountable.
HSI Washington, D.C., acting Special Agent in Charge Christopher Heck highlighted the agency’s commitment to protecting vulnerable entities. “This investigation reflects the full reach of HSI’s cyber mission and our commitment to protecting victims whether they’re small businesses, school systems, or hospitals,” Heck stated.
“We will continue to target the infrastructure, finances, and operators behind these ransomware groups to ensure they have nowhere left to hide.”
Officials from the Department of Justice underscored the threat to national security. Assistant Attorney General for National Security John A. Eisenberg noted that BlackSuit’s attacks on U.S. critical infrastructure posed a serious risk to public safety.
“The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure,” he said.
U.S. Attorney for the Eastern District of Virginia Erik S. Siebert described the action as a “forward-leaning, disruption-first approach” to combating cyber threats.
“When it comes to protecting U.S. businesses, critical infrastructure, and other victims from ransomware and other cyberthreat actors, we will pull no punches,” Siebert affirmed.
Prosecutors from the District of Columbia echoed this resolve. U.S. Attorney Jeanine Ferris Pirro warned of the havoc ransomware wreaks on systems, affecting government agencies and private companies alike.
“Whether these criminals target law enforcement, other government agencies, or private companies, my office and our law enforcement partners stand ready to go toe-to-toe with criminals and make victims whole,” she said.
The U.S. Secret Service also played a key role, with Criminal Investigative Division Special Agent in Charge William Mancino calling the operation a “critical blow” to BlackSuit’s infrastructure.
“The U.S. Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations,” Mancino added.
IRS Criminal Investigation contributed by targeting the financial underpinnings of the operation. Executive Special Agent in Charge Kareem Carter of the IRS-CI Washington field office explained, “Today’s announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency.”
He noted that tools like BlackSuit are used to steal, extort, and launder proceeds, and vowed continued collaboration to apprehend those responsible.
This coordinated effort under Europol’s Joint Cyber Action Task Force marks a significant step in curbing ransomware threats, signaling that cybercriminals will face relentless pursuit across borders.
As investigations continue, authorities urge organizations to bolster cybersecurity measures and report incidents promptly to mitigate future risks. The shutdown disrupts BlackSuit’s operations, but experts warn that evolving cyber threats demand sustained vigilance.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
