An international law enforcement operation has seized infrastructure used by the infamous BlackSuit ransomware gang, which is believed to have netted more than $370 million in ransom payments over the last three years.
Led by the US Department of Homeland Security, the operation also included the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
It resulted in the takedown of four servers and nine domains, and the seizure of more than $1 million in virtual currency.
“This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” said William Mancino, special agent in charge of the US Secret Service’s Criminal Investigative Division.
“The US Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”
BlackSuit first started out as Quantum ransomware in January 2022 as a direct successor of the Conti group, but rebranded as Royal ransomware in September that year and then to BlackSuit in 2023.
The group is believed to have breached hundreds of organizations in sectors including critical manufacturing, government facilities, healthcare and public health, and commercial facilities.
One attack on the City of Dallas severely affected emergency services, the courts, and government. Another, against the blood plasma collection organization Octapharma, led to the temporary closure of almost 200 blood plasma collection centers across the country.
BlackSuit victims are usually required to pay ransoms in Bitcoin via a darknet website. According to the Justice Department, on one occasion in 2023 a victim paid a Bitcoin ransom worth nearly $1.5 million at the time.
The group used double extortion tactics, encrypting victims’ systems while threatening to leak stolen data to put extra pressure on victims to pay up.
BlackSuit members have already rebranded
It appears that at least some of those behind BlackSuit have now reformed as a new ransomware operation called ‘Chaos’.
Based on the group's encryption methodology, ransom note structure, and the toolset used in the attacks, Cisco Talos reckons the same people are at work.
"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members," the firm said in an advisory.
"This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks."
The group's new Ransomware as a Service (RaaS) operation has already been linked to double extortion attacks, with voice-based social engineering the initial access technique, and the use of an encryptor that targets both local and remote storage.
While law enforcement takedowns are welcomed by enterprises and security practitioners alike, there have been a number of occasions where groups simply regroup and rebrand in the aftermath.
In 2020, for example, an international operation to take down the Trickbot botnet was hailed as a major victory for law enforcement. Yet within less than a year it had returned - and with a more potent strain that enabled threat actors to establish greater persistence on networks.
The Emotet takedown, meanwhile, also proved temporary. The Europol-led sting in January 2021 appeared to have crippled the operation, but once again it returned within the space of a year.
Security experts at the time questioned whether the botnet would be shuttered for good. Analysis in November 2021 showed the group's infrastructure had doubled since making a comeback.
“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Michael Prado, deputy assistant director for HSI’s Cyber Crimes Center.
“This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- A major ransomware hosting provider just got hit US with sanctions
- The ransomware groups worrying security researchers in 2025
- Ransomware victims are getting better at haggling with hackers
-
September rundown: The UK becomes an AI playgroundITPro Podcast Big tech has announced tens of billions in infrastructure investments for the UK – how will it help?
-
Microsoft’s new ‘marketplace’ lets customers pick and choose cloud, AI solutionsNews The Microsoft Marketplace looks to streamline customer access to AI and cloud services
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
