The U.S. Department of Homeland Security announced that its investigative arm, Homeland Security Investigations, along with international partners, dismantled the infrastructure of the Royal and BlackSuit ransomware gangs. Since 2022, these cybercriminals have attacked over 450 organizations across sectors like healthcare, education, public safety, energy, and government in the U.S., collecting more than $370 million from victims before being taken down last month.
The U.S. Department of Justice announced that, as part of the international Operation Checkmate, law enforcement seized the dark web extortion sites used by the BlackSuit ransomware gang, replacing them with seizure notices. The Royal and BlackSuit groups, which emerged from the former Conti syndicate under the name Quantum in early 2022, initially used other gangs’ encryptors before creating their own Zeon encryptor and rebranding as Royal in September 2022. Together, they used double-extortion tactics — encrypting data and threatening leaks — to extort over $370 million in cryptocurrency from victims.
In June 2023, after attacking the City of Dallas and testing a new encryptor called BlackSuit, the Royal ransomware group rebranded under the BlackSuit name. CISA and the FBI later confirmed that both used the same tactics, with Royal linked to over 350 global attacks since September 2022, demanding more than $275 million. By August 2024, the agencies reported that BlackSuit, formerly Royal, had extorted over $500 million from victims in just over two years.
Cisco Talos researchers report that after BlackSuit’s infrastructure was dismantled, the group is likely rebranding as “Chaos” ransomware, launching a new ransomware-as-a-service operation. This new variant, unrelated to earlier Chaos versions, uses double-extortion tactics, voice-based social engineering, and encryptors targeting both local and remote storage. Talos believes with moderate confidence that it is either a rebrand of BlackSuit (formerly Royal) or run by some of its former members, based on similarities in attack methods, ransom note style, and use of specific tools.
EVEN WHEN LAW ENFORCEMENT KNOCKS THEM DOWN, CYBER CRIME SYNDICATES REINVENT THEMSELVES.
Sanjay Sahay
Have a nice evening.