An international law enforcement operation has seized infrastructure used by the infamous BlackSuit ransomware gang, which is believed to have netted more than $370 million in ransom payments over the last three years.
Led by the US Department of Homeland Security, the operation also included the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
It resulted in the takedown of four servers and nine domains, and the seizure of more than $1 million in virtual currency.
“This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” said William Mancino, special agent in charge of the US Secret Service’s Criminal Investigative Division.
“The US Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”
BlackSuit first started out as Quantum ransomware in January 2022 as a direct successor of the Conti group, but rebranded as Royal ransomware in September that year and then to BlackSuit in 2023.
The group is believed to have breached hundreds of organizations in sectors including critical manufacturing, government facilities, healthcare and public health, and commercial facilities.
One attack on the City of Dallas severely affected emergency services, the courts, and government. Another, against the blood plasma collection organization Octapharma, led to the temporary closure of almost 200 blood plasma collection centers across the country.
BlackSuit victims are usually required to pay ransoms in Bitcoin via a darknet website. According to the Justice Department, on one occasion in 2023 a victim paid a Bitcoin ransom worth nearly $1.5 million at the time.
The group used double extortion tactics, encrypting victims’ systems while threatening to leak stolen data to put extra pressure on victims to pay up.
BlackSuit members have already rebranded
It appears that at least some of those behind BlackSuit have now reformed as a new ransomware operation called ‘Chaos’.
Based on the group's encryption methodology, ransom note structure, and the toolset used in the attacks, Cisco Talos reckons the same people are at work.
"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members," the firm said in an advisory.
"This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks."
The group's new Ransomware as a Service (RaaS) operation has already been linked to double extortion attacks, with voice-based social engineering the initial access technique, and the use of an encryptor that targets both local and remote storage.
While law enforcement takedowns are welcomed by enterprises and security practitioners alike, there have been a number of occasions where groups simply regroup and rebrand in the aftermath.
In 2020, for example, an international operation to take down the Trickbot botnet was hailed as a major victory for law enforcement. Yet within less than a year it had returned - and with a more potent strain that enabled threat actors to establish greater persistence on networks.
The Emotet takedown, meanwhile, also proved temporary. The Europol-led sting in January 2021 appeared to have crippled the operation, but once again it returned within the space of a year.
Security experts at the time questioned whether the botnet would be shuttered for good. Analysis in November 2021 showed the group's infrastructure had doubled since making a comeback.
“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Michael Prado, deputy assistant director for HSI’s Cyber Crimes Center.
“This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- The ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
-
Workers view agents as ‘important teammates’ – but the prospect of an AI 'boss' is a step too farNews Workers are comfortable working alongside AI agents, according to research from Workday, but the prospect of having an AI 'boss' is a step too far.
-
Zyxel XGS1935-52HP reviewReviews Plenty of Gigabit ports and a fair power budget makes this switch a great choice for SMBs with big PoE+ deployment plans
-
MSPs beware – these two ransomware groups are ramping up attacks and have claimed hundreds of victimsNews The Akira and Lynx ransomware groups are focusing on small businesses and MSPs using stolen or purchased admin credentials
-
The UK’s ‘chronic shortage of cyber professionals’ is putting the country at riskNews While high-profile attacks grab headlines, a security researcher warns the UK's "chronic shortage of cyber professionals" is left unaddressed by government, industry, and academia.
-
Credential theft has surged 160% in 2025News AI-powered phishing and the growth of Malware as a Service means hackers are compromising more accounts than ever
-
US federal judiciary agency hit by 'escalated cyber attacks' which exposed highly sensitive dataNews The agency says it plans to step up cybersecurity capabilities in the wake of the incident
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
Millions of Dell laptops are are at risk thanks to a Broadcom chip vulnerability – and more than 100 device models are impactedNews Widely used in high-security environments, the PCs are vulnerable to attacks allowing the theft of sensitive data
-
Cybersecurity teams are wasting time, money, and effort dealing with tool sprawl and ‘multi-vendor ecosystems’News Tool sprawl is a problem that just won't go away for security teams
