Law enforcement agencies have successfully dismantled the dark web extortion infrastructure of the BlackSuit ransomware operation, which has compromised the networks of hundreds of organizations globally over recent years.
The U.S. Department of Justice confirmed the operation in a public announcement, detailing that authorities executed a court-authorized seizure of the BlackSuit domains. This significant action reflects ongoing initiatives to combat cybercrime on a global scale.
As part of this crackdown, the previously operational BlackSuit .onion domains have now been replaced with seizure notices. These notices inform visitors that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations as part of an international effort dubbed Operation Checkmate.
The seizure banner clearly states, “This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation.”
According to reports from BleepingComputer, the seized domains included dark web data leak platforms and extortion negotiation websites traditionally employed to coerce victims into paying ransom demands.
This operation saw collaboration from numerous law enforcement bodies, including the U.S. Secret Service, the Dutch National Police, the German State Criminal Police Office, the U.K. National Crime Agency, the Frankfurt General Prosecutor’s Office, the Justice Department, the Ukrainian Cyber Police, Europol, and others. The Romanian cybersecurity firm Bitdefender also played a role in this operation, although further details remain pending.
Rebranding of the Chaos Ransomware
In a related development, the Cisco Talos threat intelligence group recently reported findings that suggest the BlackSuit ransomware operation may be rebranding itself once again as Chaos ransomware.
“Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or is operated by some of its former members,” the researchers asserted, backing their claim with evidence of similarities in tactics, techniques, and procedures (TTPs). This includes encryption commands, ransom note structure, and reliance on living-off-the-land binaries (LOLbins) and remote management (RMM) tools utilized in their attacks.
The BlackSuit ransomware initially emerged as Quantum ransomware in January 2022, believed to be a successor to the notorious Conti cybercrime syndicate. Initially leveraging encryptors from other gangs (including ALPHV/BlackCat), the group soon adopted their own Zeon encryptor and rebranded as Royal ransomware in September 2022.
By June 2023, following an attack on the City of Dallas, Texas, the Royal ransomware gang began operating under the BlackSuit name, launching a new encryptor amid rumors of a rebranding initiative.
The Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI revealed in a joint advisory released in November 2023 that Royal and BlackSuit share strikingly similar tactics, with their respective encryptors displaying noticeable coding overlaps. This advisory linked the Royal ransomware gang to attacks on over 350 organizations globally since September 2022, culminating in ransom demands exceeding $275 million.
Subsequent confirmations from both agencies in August 2024 disclosed that the Royal ransomware had officially transitioned to BlackSuit, accumulating over $500 million in ransom demands from its victims over the past two years.
Update 7/24/25: This article has been revised to include details on the seizure of negotiation sites as well.