U.S. law enforcement agencies provided new details on an operation that dismantled critical infrastructure used by the BlackSuit ransomware gang after the organization’s leak site was replaced with a takedown banner nearly two weeks ago.
The group — which rebranded from its Royal name after a devastating 2023 attack that shut down the city of Dallas — successfully attacked more than 450 entities in the U.S. Since emerging in 2022, the gang secured more than $370 million in ransom payments, according to U.S. investigators.
“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John Eisenberg.
Two weeks ago, the ransomware gang’s darknet extortion sites were seized in an operation involving police from more than nine countries including Germany, France and the United Kingdom.
A splash page replaced the gang’s list of victims on its main TOR domain as well as its private negotiation pages, stating these sites were “seized by U.S. Homeland Security Investigations (HSI)” as part of a coordinated international operation.
At the time, the Justice Department confirmed the disruption and website seizure but kept the warrant for the action sealed.
The statements released on Thursday are the first recognition from U.S. agencies of the operation. German officials confirmed the operation last week, noting that they confiscated technical infrastructure used by the group.
“Substantial amounts of data were secured, which are now being analyzed to investigate and identify other perpetrators,” German law enforcement said.
U.S. officials said the operation “resulted in the seizures of servers, domains and digital assets used to deploy ransomware, extort victims, and launder proceeds.”
“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
BlackSuit and Royal were responsible for dozens of high-profile attacks that caused untold damage. The group drew law enforcement interest with the attack on Dallas, which damaged the city’s emergency services, courts and government.
The FBI said last year that the group demanded more than $500 million in ransoms and after the rebrand continued to issue exorbitant ransom demands — some of which reached as high as $60 million.
BlackSuit also took responsibility for dozens of attacks on U.S. grade schools and colleges as well as prominent companies and local governments — including the Japanese medallion giant Kadokawa and Tampa Bay Zoo.
In April 2024, the gang claimed responsibility for an attack against the blood plasma collection organization Octapharma, which the American Hospital Association said “resulted in the temporary closure of almost 200 blood plasma collection centers” across the country.
U.S. Secret Service Criminal Investigative Division Special Agent in Charge William Mancino said the takedown was a “critical blow to BlackSuit’s infrastructure and operations.”
The takedown was part of Operation Checkmate, a Europol-led initiative targeting the Royal and BlackSuit ransomware operations. Cybersecurity firm Bitdefender assisted the agencies in the operation and said it was “another important milestone in the fight against organized cybercrime.”
Following the takedown, Cisco Talos published research finding some of the BlackSuit gang has already pivoted to forming a new ransomware operation called Chaos.
The ransomware is similar to BlackSuit “based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks,” according to Cisco.
The DOJ announced last week that it seized $2.4 million worth of cryptocurrency from a cryptocurrency address allegedly associated with a member of the Chaos ransomware group, known as “Hors” — which they said has been tied to ransomware attacks against victims located in Texas and elsewhere.
Recorded Future
Intelligence Cloud.
Learn more.
