The U.S. Department of Homeland Security (DHS) says the cybercrime gang behind the Royal and BlackSuit ransomware operations had breached hundreds of U.S. companies before being taken down last month.
Homeland Security Investigations (HSI), DHS’s main investigative arm, which took down the group’s infrastructure in cooperation with international law enforcement partners, added that the cybercriminals also collected over $370 million from their victims.
“Since 2022, the Royal and BlackSuit ransomware groups have compromised over 450 known victims in the United States, including entities in the healthcare, education, public safety, energy and government sectors,” the HSI said in a Thursday press release.
“Combined, the groups have received more than $370 million in ransom payments, based on present-day valuations of cryptocurrency. The ransomware schemes used double-extortion tactics — encrypting victims’ systems while threatening to leak stolen data to further coerce payment.”
The U.S. Department of Justice confirmed on July 24 that law enforcement seized BlackSuit’s dark web extortion domains, replacing the contents of the gang’s leak sites with seizure banners as part of a joint international action codenamed Operation Checkmate.
The cybercrime group behind these two ransomware operations surfaced as Quantum ransomware in January 2022 and was believed to be a successor to the notorious Conti cybercrime syndicate. While they initially deployed encryptors from other groups (like ALPHV/BlackCat), they later developed their own Zeon encryptor, rebranding as Royal ransomware in September 2022.
In June 2023, after targeting the City of Dallas, Texas, and testing a new encryptor called BlackSuit, the Royal ransomware gang switched to the BlackSuit brand.
CISA and the FBI confirmed in a November 2023 joint advisory that Royal and BlackSuit shared similar tactics, linking the Royal ransomware gang to attacks targeting over 350 organizations worldwide since September 2022, which resulted in ransom demands exceeding $275 million.
An August 2024 joint advisory from the two agencies later confirmed that the Royal ransomware had rebranded as BlackSuit and demanded over $500 million from victims since its emergence more than two years before.
Chaos ransomware rebrand
Since BlackSuit’s infrastructure was dismantled, the Cisco Talos threat intelligence research group has found evidence suggesting the BlackSuit ransomware gang will now likely rebrand itself again as Chaos ransomware.
The cybercriminals’ new ransomware-as-a-service (RaaS) operation has already been linked to double extortion attacks, where they use voice-based social engineering for access and deploy an encryptor that targets both local and remote storage for maximum damage.
“Talos believes the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, as the group uses the same name to create confusion,” the researchers said.
“Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members.
“This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks.”
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
