The latest target in the U.S. government’s crackdown on ransomware gangs is the BlackSuit group, a notorious cybercriminal organization that has been active since 2022. Linked to over $370 million in ransom demands, BlackSuit has become a significant threat to critical infrastructure in the United States.
In a coordinated effort, U.S. authorities recently seized four servers, nine domains, and approximately $1.09 million in cryptocurrency associated with BlackSuit. Working in collaboration with international partners, agencies such as Homeland Security Investigations, the Secret Service, IRS Criminal Investigation, and the FBI joined forces to carry out the raid. Law enforcement agencies from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania also participated in the operation.
BlackSuit, which emerged as a spinoff of the Royal ransomware gang, has been targeting critical infrastructure in the U.S. since 2022. Operating under the BlackSuit name since 2023, the group has been using similar tactics, techniques, and tools as its predecessor. Known for demanding ransom payments ranging from $1 million to $10 million, with some demands reaching as high as $60 million, BlackSuit has gained notoriety for its large-scale extortion campaigns.
Victims of BlackSuit’s attacks often find themselves locked out of essential systems and facing the threat of sensitive data leaks. The group operates a darknet portal where it lists stolen data set to be released publicly if ransom demands are not met. The FBI and the Cybersecurity and Infrastructure Security Agency issued a joint advisory in late 2023 warning about BlackSuit’s capabilities to disrupt critical sectors.
In a notable case, an organization paid 49.3 Bitcoin, equivalent to about $1.44 million at the time, to regain control of its systems following a BlackSuit breach. A portion of this ransom payment was among the $1.09 million seized during the recent takedown. Authorities estimate that BlackSuit has compromised over 450 known victims in the U.S. since 2022.
The U.S. government has been taking a proactive approach to combat ransomware attacks, employing sanctions and enforcement actions to disrupt cybercriminal operations. Earlier this year, the U.S., UK, and Australia sanctioned Russian hosting provider Zservers for providing bulletproof hosting to the LockBit ransomware gang. In a similar move, the Justice Department recently filed a forfeiture action to recover $2.3 million in Bitcoin from a member of the Chaos ransomware group.
As the fight against ransomware continues, authorities are ramping up efforts to dismantle criminal organizations like BlackSuit and protect critical infrastructure from cyber threats.