Law enforcement takedown of BlackSuit ransomware syndicate - operators regroup, starting up a new organization
International Operation Disrupts BlackSuit Ransomware Group
In a significant victory for global cybersecurity, an international law enforcement operation named Operation Checkmate has successfully disrupted the activities of the notorious BlackSuit ransomware group. The operation, led by the US Department of Homeland Security, involved agencies from the UK, Germany, France, Ireland, Canada, Ukraine, and Lithuania, with support from cybersecurity firm Bitdefender.
The takedown resulted in the seizure of four servers and nine domains, and the confiscation of over $1 million in virtual currency. The group's sites on the darknet were replaced with seizure banners by U.S. Homeland Security Investigations, effectively shutting down their public-facing extortion platform.
The BlackSuit ransomware group, previously known as Quantum and Royal, is believed to have roots connected to members of the Conti ransomware group. Despite the takedown, indications suggest that associates had dispersed prior to the operation, potentially enabling the formation of successor groups or rebrands.
The BlackSuit group was notorious for its high ransom demands, with reported cumulative demands exceeding $500 million and individual demands reaching up to $60 million. One attack on the City of Dallas severely affected emergency services, the courts, and government, while on one occasion in 2023, a victim paid a Bitcoin ransom worth nearly $1.5 million at the time.
The group used double extortion tactics, encrypting victims' systems while threatening to leak stolen data to put extra pressure on victims to pay up. Their encryptor targets both local and remote storage, a tactic similar to that used by the Chaos ransomware group, which is considered a potential successor.
Cisco Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members. The Chaos ransomware operation uses Ransomware as a Service (RaaS) and has already been linked to double extortion attacks.
The voice-based social engineering technique used by the Chaos ransomware group is a new initial access technique used by the group. The group is believed to have breached hundreds of organizations in sectors including critical manufacturing, government facilities, healthcare, and public health, and commercial facilities.
While this takedown is a significant blow to the ransomware ecosystem, it is not the first time that law enforcement has disrupted a ransomware group, only to see them regroup and rebrand. It remains to be seen whether the former members of the BlackSuit group will attempt to regroup under new names, but for now, the operation has dealt a major blow to their operations globally.
[1] US Department of Homeland Security Press Release [2] Bitdefender Press Release [3] Cisco Talos Intelligence Group Analysis [4] Kaspersky Threat Intelligence Team Analysis [5] Recorded Future Analysis
