Regulation enforcement has seized the darkish internet extortion websites of the BlackSuit ransomware operation, which has focused and breached the networks of tons of of organizations worldwide over the previous a number of years.
The U.S. Division of Justice confirmed the takedown in an electronic mail earlier as we speak, saying the authorities concerned within the motion executed a court-authorized seizure of the BlackSuit domains.
Earlier as we speak, the web sites on the BlackSuit .onion domains have been changed with seizure banners asserting that the ransomware gang’s websites have been taken down by the U.S. Homeland Safety Investigations federal legislation enforcement company as a part of a joint worldwide motion codenamed Operation Checkmate.
“This web site has been seized by U.S. Homeland Safety Investigations as a part of a coordinated worldwide legislation enforcement investigation,” the banner reads.
BleepingComputer has confirmed that the seized websites embody the darkish internet information leak blogs and negotiation websites used to extort victims into paying a ransom demand.
Different legislation enforcement authorities that joined this joint operation embody the U.S. Secret Service, the Dutch Nationwide Police, the German State Prison Police Workplace, the U.Ok. Nationwide Crime Company, the Frankfurt Basic Prosecutor’s Workplace, the Justice Division, the Ukrainian Cyber Police, Europol, and others.
Romanian cybersecurity firm Bitdefender was additionally concerned within the motion, however a spokesperson has but to answer after BleepingComputer reached out for extra particulars earlier as we speak.
Chaos ransomware rebrand
On Thursday, the Cisco Talos risk intelligence analysis group reported that it had discovered proof suggesting the BlackSuit ransomware gang is more likely to rebrand itself as soon as once more as Chaos ransomware.
“Talos assesses with reasonable confidence that the brand new Chaos ransomware group is both a rebranding of the BlackSuit (Royal) ransomware or operated by a few of its former members,” the researchers mentioned.
“This evaluation relies on the similarities in TTPs, together with encryption instructions, the theme and construction of the ransom be aware, and the usage of LOLbins and RMM instruments of their assaults.”
BlackSuit began as Quantum ransomware in January 2022 and is believed to be a direct successor to the infamous Conti cybercrime syndicate. Whereas they initially used encryptors from different gangs (equivalent to ALPHV/BlackCat), they deployed their very own Zeon encryptor quickly after and rebranded as Royal ransomware in September 2022.
In June 2023, after focusing on the Metropolis of Dallas, Texas, the Royal ransomware gang started working underneath the BlackSuit title, following the testing of a brand new encryptor referred to as BlackSuit amid rumors of a rebranding.
CISA and the FBI first revealed in a November 2023 joint advisory that Royal and BlackSuit share related ways, whereas their encryptors exhibit apparent coding overlaps. The identical advisory linked the Royal ransomware gang to assaults focusing on over 350 organizations worldwide since September 2022, leading to ransom calls for exceeding $275 million.
The 2 businesses confirmed in August 2024 that the Royal ransomware had rebranded as BlackSuit and had demanded over $500 million from victims since surfacing greater than two years prior.
Replace 7/24/25: Up to date article to incorporate that negotiation websites have been seized as nicely.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current threat, affect, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
