In a major victory against cybercrime, U.S. law enforcement agencies have provided new details on a successful international operation that dismantled critical infrastructure used by the BlackSuit ransomware gang. Nearly two weeks ago, the group’s darknet extortion sites were replaced with a takedown banner, which was later revealed to be the result of a coordinated effort involving law enforcement from more than nine countries, including Germany, France, and the United Kingdom. This operation, part of a larger initiative called “Checkmate,” dealt a significant blow to the gang, seizing servers, domains, and digital assets used to deploy ransomware and extort victims. This action marks a critical step in holding ransomware actors accountable and dismantling the entire ecosystem that enables them to operate with impunity.
The BlackSuit gang, which rebranded from its Royal name after a devastating 2023 attack that shut down the city of Dallas, had been a persistent and serious threat to U.S. public safety. Since its emergence in 2022, the group has successfully attacked more than 450 entities in the U.S., securing over $370 million in ransom payments, according to U.S. investigators. The gang’s high-profile attacks caused untold damage, drawing significant law enforcement interest, particularly after the Dallas incident, which damaged the city’s emergency services, courts, and government. The FBI had previously stated that the group demanded more than $500 million in ransoms, with some demands reaching as high as $60 million.
The international cooperation was key to the operation’s success. German officials were among the first to confirm the operation, noting that they had confiscated technical infrastructure used by the group and secured “substantial amounts of data” for further analysis. This collaborative effort, led by Europol and with assistance from cybersecurity firm Bitdefender, highlights a collective resolve to combat organized cybercrime. HSI Cyber Crimes Center Deputy Assistant Director Michael Prado emphasized that disrupting ransomware infrastructure is not just about taking down servers but about dismantling the entire ecosystem, and this operation is a testament to the power of international coordination.
The BlackSuit gang’s victims included a wide range of critical infrastructure and institutions, from U.S. grade schools and colleges to prominent companies and local governments. Notable attacks included those against the Japanese medallion giant Kadokawa, Tampa Bay Zoo, and the blood plasma collection organization Octapharma. The attack on Octapharma in April 2024 was particularly damaging, as it resulted in the temporary closure of nearly 200 blood plasma collection centers across the country. U.S. Secret Service Criminal Investigative Division Special Agent in Charge William Mancino called the takedown a “critical blow to BlackSuit’s infrastructure and operations,” underscoring the operation’s importance in protecting vital public and private sectors.
Despite the success of the takedown, the fight against these cybercriminals is far from over. Following the operation, cybersecurity firm Cisco Talos published research indicating that some members of the BlackSuit gang have already pivoted to forming a new ransomware operation called Chaos. The new ransomware exhibits similarities to BlackSuit, including its encryption methodology, ransom note structure, and the toolset used in the attacks. This finding was further corroborated by the DOJ, which announced the seizure of $2.4 million in cryptocurrency from a wallet allegedly associated with a member of the Chaos group, highlighting the ongoing challenge of tracking and neutralizing these highly adaptable cybercriminal organizations.
Reference:
