BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new group

The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos

Emma Woollacott's avatar
By
published
in News
Ransomware concept image showing skull and cross bones on a computer chip sitting on a circuit board.
(Image credit: Getty Images)

An international law enforcement operation has seized infrastructure used by the infamous BlackSuit ransomware gang, which is believed to have netted more than $370 million in ransom payments over the last three years.

Led by the US Department of Homeland Security, the operation also included the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.

It resulted in the takedown of four servers and nine domains, and the seizure of more than $1 million in virtual currency.

“This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” said William Mancino, special agent in charge of the US Secret Service’s Criminal Investigative Division.

“The US Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”

BlackSuit first started out as Quantum ransomware in January 2022 as a direct successor of the Conti group, but rebranded as Royal ransomware in September that year and then to BlackSuit in 2023.

The group is believed to have breached hundreds of organizations in sectors including critical manufacturing, government facilities, healthcare and public health, and commercial facilities.

One attack on the City of Dallas severely affected emergency services, the courts, and government. Another, against the blood plasma collection organization Octapharma, led to the temporary closure of almost 200 blood plasma collection centers across the country.

BlackSuit victims are usually required to pay ransoms in Bitcoin via a darknet website. According to the Justice Department, on one occasion in 2023 a victim paid a Bitcoin ransom worth nearly $1.5 million at the time.

The group used double extortion tactics, encrypting victims’ systems while threatening to leak stolen data to put extra pressure on victims to pay up.

BlackSuit members have already rebranded

It appears that at least some of those behind BlackSuit have now reformed as a new ransomware operation called ‘Chaos’.

Based on the group's encryption methodology, ransom note structure, and the toolset used in the attacks, Cisco Talos reckons the same people are at work.

"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members," the firm said in an advisory.

"This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks."

The group's new Ransomware as a Service (RaaS) operation has already been linked to double extortion attacks, with voice-based social engineering the initial access technique, and the use of an encryptor that targets both local and remote storage.

While law enforcement takedowns are welcomed by enterprises and security practitioners alike, there have been a number of occasions where groups simply regroup and rebrand in the aftermath.

In 2020, for example, an international operation to take down the Trickbot botnet was hailed as a major victory for law enforcement. Yet within less than a year it had returned - and with a more potent strain that enabled threat actors to establish greater persistence on networks.

The Emotet takedown, meanwhile, also proved temporary. The Europol-led sting in January 2021 appeared to have crippled the operation, but once again it returned within the space of a year.

Security experts at the time questioned whether the botnet would be shuttered for good. Analysis in November 2021 showed the group's infrastructure had doubled since making a comeback.

“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Michael Prado, deputy assistant director for HSI’s Cyber Crimes Center.

“This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

Latest
You might also like
View More ▸