BlackSuit’s dark web data leak site and private negotiation panels have been taken offline in what appears to be a large-scale law enforcement operation.
On July 24, the ransomware group’s leading site, usually accessible via The Onion Router (TOR), displayed a banner stating, “This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation.”
No official statement has been made at the time of writing, however, the banner shows that the effort, dubbed Operation Checkmate, involved the US Department of Justice (DoJ) and 16 other law enforcement agencies from nine countries.
The international coalition included the US, the UK, Ukraine and Latvia, as well as Europol and Bitdefender, a private cybersecurity firm based in Romania and the US.
From Conti to BlackSuit, Via Royal: Who Is BlackSuit
BlackSuit is a ransomware group that emerged in May 2023, with 184 claimed victims, according to the ransomware tracking website Ransomware.live.
The group is believed to be a rebrand from the Royal ransomware gang, which itself was a successor to the notorious Conti group.
The Conti ransomware group, active from December 2019 until its dissolution in June 2022, was known for its aggressive tactics and high-profile attacks, including the significant 2022 cyber-attack on Costa Rica’s government systems.
Following Conti’s disbandment, its members dispersed into various factions, with some forming the Royal ransomware group in early 2022. Royal gained notoriety for targeting US cities, such as the attack on the City of Dallas in May 2023, which disrupted municipal services and compromised over a terabyte of data.
In May 2023, Royal began testing a new encryptor called BlackSuit, leading to the group’s rebranding. Cyber threat intelligence experts believe that only BlackSuit members use the group’s tools, suggesting the group does not operate a ransomware-as-a-service (RaaS) model.
Since its inception, BlackSuit has been involved in several significant cyber-attacks. In April 2024, BlackSuit reportedly attacked Octapharma Plasma, disrupting operations at over 160 blood plasma donation centers across the US.
In June 2024, the group targeted CDK Global, a software provider for approximately 15,000 North American car dealerships, causing widespread operational disruptions and estimated losses of $1bn.
The group has also been linked to attacks on organizations such as ZooTampa, the Brazilian government and Western Municipal Construction.
BlackSuit employs sophisticated tactics, including double extortion, where they encrypt victims’ data and threaten to release it publicly unless a ransom is paid. The group has also been observed using legitimate remote monitoring and management software to maintain persistence in victim networks.
According to a security advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA) in August 2024, BlackSuit’s ransom demands typically ranged from $1m to $10m in Bitcoin, with the highest recorded demand being at $60m.
In total, BlackSuit has reportedly demanded over $500m from its victims within two years of activity.
Chaos, a Likely BlackSuit Rebrand
Despite the reported takedown of part of BlackSuit’s infrastructure, the group’s members have not been arrested and some could already have moved on to another ransomware venture.
According to a report by Cisco Talos on July 24, the emerging ransomware group Chaos is likely to have been founded by members of BlackSuit.
“Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members,” said the report.
This assessment is based on the similarities in techniques, tactics and procedures (TTPs), including encryption commands, the theme and structure of the ransom note and the use of LOLbins and remote monitoring management (RMM) tools in their attacks.
Other agencies reportedly involved in Operation Checkmate included the U.S. Secret Service, the Dutch National Police, the German Federal Criminal Police Office, the UK National Crime Agency (NCA), the Frankfurt Public Prosecutor’s Office, and the Ukrainian Cyber Police.
Infosecurity has contacted the NCA and the DoJ. Neither agency has officially confirmed the takedown at the time of writing.
Read now: New Chaos Ransomware Emerges, Launches Wave of Attacks
