In a significant blow to cybercriminal operations, law enforcement agencies worldwide have dismantled the infrastructure of the prolific BlackSuit ransomware gang. The U.S. Department of Justice confirmed the seizure of BlackSuit's dark web leak sites, replacing them with a banner announcing the takedown by U.S. Homeland Security Investigations (HSI) as part of Operation Checkmate.

Article illustration 2

BlackSuit seizure banner displayed on seized domains (Image: BleepingComputer)

The coordinated effort included the U.S. Secret Service, Dutch National Police, German State Criminal Police, UK National Crime Agency, Ukrainian Cyber Police, Europol, and others. Romanian cybersecurity firm Bitdefender also played a critical, though undisclosed, role in the operation.

This takedown disrupts a group responsible for hundreds of attacks globally since emerging in 2022. BlackSuit's evolution reveals a persistent threat:
- Origins: Emerged as Quantum ransomware in January 2022, a direct offshoot of the infamous Conti syndicate.
- Rebrand to Royal: Adopted its own 'Zeon' encryptor and became Royal ransomware in September 2022, linked to 350+ attacks and $275M+ demands.
- Shift to BlackSuit: Rebranded again in mid-2023 after targeting Dallas, Texas, using a new 'BlackSuit' encryptor. The FBI confirmed in 2024 that Royal had fully transitioned to BlackSuit, amassing over $500 million in ransom demands.

New intelligence suggests the group may be attempting yet another evolution. Cisco Talos recently reported:

"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members... based on similarities in TTPs, including encryption commands, ransom note structure, and use of LOLbins/RMM tools."

The seizure of leak sites cripples BlackSuit's ability to extort victims by threatening to publish stolen data. However, the group's history of rebranding and technical adaptation highlights the persistent challenge of disrupting sophisticated cybercrime networks. Operation Checkmate demonstrates improved international coordination but underscores that ransomware groups remain agile adversaries.

Source: BleepingComputer