Legislation enforcement has seized the darkish internet extortion websites of the BlackSuit ransomware operation, which has focused and breached the networks of lots of of organizations worldwide over the previous a number of years.
The U.S. Division of Justice confirmed the takedown in an e mail earlier at this time, saying the authorities concerned within the motion executed a court-authorized seizure of the BlackSuit domains.
Earlier at this time, the web sites on the BlackSuit .onion domains had been changed with seizure banners asserting that the ransomware gang’s websites had been taken down by the U.S. Homeland Safety Investigations federal regulation enforcement company as a part of a joint worldwide motion codenamed Operation Checkmate.
“This website has been seized by U.S. Homeland Safety Investigations as a part of a coordinated worldwide regulation enforcement investigation,” the banner reads.
BleepingComputer has confirmed that the seized websites embrace the darkish internet knowledge leak blogs and negotiation websites used to extort victims into paying a ransom demand.
Different regulation enforcement authorities that joined this joint operation embrace the U.S. Secret Service, the Dutch Nationwide Police, the German State Prison Police Workplace, the U.Okay. Nationwide Crime Company, the Frankfurt Common Prosecutor’s Workplace, the Justice Division, the Ukrainian Cyber Police, Europol, and others.
Romanian cybersecurity firm Bitdefender was additionally concerned within the motion, however a spokesperson has but to answer after BleepingComputer reached out for extra particulars earlier at this time.
Chaos ransomware rebrand
On Thursday, the Cisco Talos menace intelligence analysis group reported that it had discovered proof suggesting the BlackSuit ransomware gang is more likely to rebrand itself as soon as once more as Chaos ransomware.
“Talos assesses with reasonable confidence that the brand new Chaos ransomware group is both a rebranding of the BlackSuit (Royal) ransomware or operated by a few of its former members,” the researchers stated.
“This evaluation is predicated on the similarities in TTPs, together with encryption instructions, the theme and construction of the ransom notice, and using LOLbins and RMM instruments of their assaults.”
BlackSuit began as Quantum ransomware in January 2022 and is believed to be a direct successor to the infamous Conti cybercrime syndicate. Whereas they initially used encryptors from different gangs (similar to ALPHV/BlackCat), they deployed their very own Zeon encryptor quickly after and rebranded as Royal ransomware in September 2022.
In June 2023, after focusing on the Metropolis of Dallas, Texas, the Royal ransomware gang started working underneath the BlackSuit title, following the testing of a brand new encryptor referred to as BlackSuit amid rumors of a rebranding.
CISA and the FBI first revealed in a November 2023 joint advisory that Royal and BlackSuit share comparable techniques, whereas their encryptors exhibit apparent coding overlaps. The identical advisory linked the Royal ransomware gang to assaults focusing on over 350 organizations worldwide since September 2022, leading to ransom calls for exceeding $275 million.
The 2 companies confirmed in August 2024 that the Royal ransomware had rebranded as BlackSuit and had demanded over $500 million from victims since surfacing greater than two years prior.
Replace 7/24/25: Up to date article to incorporate that negotiation websites had been seized as effectively.
Comprise rising threats in actual time – earlier than they impression your online business.
Learn the way cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
