Dismantling a Ransomware Empire: Law Enforcement Takes Down BlackSuit
U.S. law enforcement has revealed details of an international operation that dismantled the core infrastructure of the BlackSuit ransomware gang, notorious for a series of devastating cyberattacks. Nearly two weeks ago, the group’s dark web sites were replaced with a seizure notice, and authorities have now officially confirmed the scale of the takedown.
BlackSuit — formerly known as Royal — gained infamy after a 2023 attack that crippled the city of Dallas. Since emerging in 2022, the group has struck more than 450 organizations across the United States, collecting over $370 million in ransom payments, according to investigators. The FBI notes that total ransom demands exceeded half a billion dollars, with individual cases reaching as high as $60 million. Targets ranged from major corporations and municipal governments to schools, colleges, Japanese media giant Kadokawa, Tampa Bay Zoo, and healthcare provider Octapharma, whose nearly 200 plasma donation centers were temporarily shut down.
The operation involved law enforcement agencies from more than nine countries, including Germany, France, and the United Kingdom. German authorities reported seizing BlackSuit’s technical infrastructure and confiscating substantial volumes of data, now under analysis to identify additional members. U.S. officials confirmed the capture of servers, domains, and digital assets used for ransomware deployment, extortion, and money laundering. They emphasized that dismantling such infrastructure requires not only physically taking servers offline, but also destroying the entire ecosystem that enables criminals to operate with impunity.
Codenamed Operation Checkmate, the takedown was coordinated by Europol. Cybersecurity firm Bitdefender played a crucial role, providing technical support and hailing the outcome as a significant step in combating organized cybercrime. According to Cisco Talos, some former BlackSuit affiliates have already regrouped under a new banner — Chaos. Analysis shows that the new ransomware shares notable similarities with its predecessor in encryption methods, ransom note structure, and toolset. The U.S. Department of Justice recently announced the seizure of $2.4 million in cryptocurrency from a wallet allegedly linked to a Chaos member known as Hors, connected to attacks on victims in Texas and beyond.
BlackSuit and its predecessor Royal had long been a top priority for intelligence agencies due to the scale of their damage, including disruptions to emergency services and government systems. While the operation has dealt a severe blow to their capabilities, the rebranding of part of the crew under a new name is a stark reminder that the fight against ransomware is far from over.