data breaches

Massive Global Takedown Destroys BlackSuit Ransomware, DOJ Seizes $1M

Published

3 days ago

on

Law enforcement seized four servers, nine domains, and about $1.09M in crypto linked to the Royal/BlackSuit operation, following a July 24 takedown coordinated with eight countries.

The U.S. Justice Department says a multi-agency, international operation has disrupted the BlackSuit (formerly Royal) ransomware enterprise—seizing core infrastructure and roughly $1.09 million in laundered cryptocurrency. Investigators say Royal/BlackSuit hit hundreds of organizations across critical sectors since 2022, amassing hundreds of millions in ransoms before the July 24 takedown.

The Justice Department announced coordinated actions to cripple the BlackSuit (Royal) ransomware ecosystem—seizing key servers, dark-web domains, and approximately $1,091,453 in virtual currency tied to victim payments—after a July 24 infrastructure takedown executed with U.S. and international partners.

  • What happened: On July 24, U.S. agencies—HSI, Secret Service, IRS-CI, and FBI—working with counterparts in the U.K., Germany, Ireland, France, Canada, Ukraine, and Lithuania, dismantled core infrastructure used for deploying ransomware, extorting victims, and laundering proceeds. Details were formally announced Aug. 11.
  • What was seized: Four servers, nine domains, and about $1.09 million in crypto linked to Royal/BlackSuit.
  • Victim scope: Royal/BlackSuit has compromised hundreds of U.S. entities since 2022 across healthcare, manufacturing, government, education, energy, and public safety, with estimated ransom intake in the hundreds of millions of dollars.
  • Why it matters: BlackSuit is the evolution of Royal ransomware, a high-tempo operation that favors double extortion—data theft followed by encryption—and aggressive pressure tactics.
  • The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to public safety,” said Assistant Attorney General John A. Eisenberg, noting the “disruption-first” posture of current operations.
  • U.S. Attorney Erik S. Siebert called the action a “forward-leaning” move to protect U.S. businesses and critical infrastructure from ransomware actors.
  • IRS-CI executive special agent Kareem Carter said the case underscores efforts to “disrupt the illicit flow of money that enables cyber criminals to launder millions in cryptocurrency.”

Additional background from CISA stresses that Royal rebranded to BlackSuit in 2024, sharing code and tactics while expanding capabilities. CISA+1

Technical Analysis (How the Operation and the Attacks Worked)

Infrastructure & funds: Investigators seized hosting and domains used for payload delivery, leaks, and negotiation, plus ~$1.09M in crypto traced from a 2023 ransom that was repeatedly cycled through an exchange before being frozen.

BlackSuit/Royal TTPs:

  • Initial access: Predominantly spear-phishing (malicious PDFs, malvertising); also RDP compromise, exploitation of public-facing apps, and credentials sourced via stealer logs/IABs.
  • Command & control: Use of tunneling/tools such as Chisel and common SSH/RDP utilities; repurposed admin software for persistence.
  • Lateral movement & defense evasion: RDP, PsExec, SMB; disable AV by modifying GPOs; use of legitimate RMM tools.
  • Discovery & credentials: Mimikatz, NirSoft tools; network enumeration with SharpShares/NetWorx; kill processes with PowerTool/GMER.
  • Exfiltration: Cobalt Strike, Ursnif/Gozi, SystemBC, Gootloader; frequent use of U.S. IPs as first hop; Rclone/Brute Ratel for data movement.
  • Encryption tradecraft: Partial/percentage-based encryption to speed impact and evade detection; vssadmin to delete shadow copies; batch scripts to create admin users, force GPO updates, and wipe logs post-encryption.

Ransom economics: Demands commonly $1M–$10M (Bitcoin), with some as high as $60M, and an overall haul estimated in the hundreds of millions since 2022.

Impact & Response

  • Who’s affected: Critical infrastructure and public services—especially healthcare, government facilities, and manufacturing—were among frequent targets.
  • Immediate actions by authorities: Server/domain seizures, cryptocurrency forfeiture, and continued international investigations. The DOJ unsealed seizure documents and pointed victims to FBI/CISA guidance and IOCs.
  • What’s next for defenders: Even with infrastructure offline, related crews may rebrand or splinter (a recurring pattern in ransomware). Organizations should treat the takedown as time bought—not game over.

Background

Royal/BlackSuit rose after Conti’s collapse, adopting a private-group model (not broad RaaS) and favoring “double extortion” with phone/email harassment to pressure payments. U.S. advisories in 2023–2024 documented code overlap between Royal and BlackSuit and mapped TTPs to MITRE ATT&CK.

Defender Playbook

  • Patch KEVs first; aggressively remediate known exploited vulnerabilities. Enforce MFA (especially for VPN/RDP) and disable public RDP where possible.
  • Harden AD & GPO: Monitor/alert on GPO changes that disable AV or EDR; restrict PsExec/SMB admin use; baseline and alert on new local admin creation.
  • Detect exfil paths: Watch for Rclone, Brute Ratel, and unusual outbound to cloud storage; alert on large data egress to unfamiliar U.S. IPs.
  • EDR queries (examples):
    • vssadmin.exe Delete Shadows or wmic shadowcopy delete
    • Creation of admin via net user followed by gpupdate /force
    • SharpShares/NetWorx execution on domain controllers
    • Batch files unpacked from 7z dropping in C:\Temp\ or C:\ProgramData\
      (Map to ATT&CK T1486, T1078, T1484.001, T1562.001.)
  • Tabletop + backups: Test restores, isolate backup networks, and ensure offline/immutable copies.

Conclusion

This disruption removes key infrastructure and freezes illicit funds, but history suggests capable crews rebrand and resume. The win for defenders is time: use it to close exposure paths, monitor for BlackSuit/Royal TTPs, and harden identity and egress controls before the next iteration surfaces.

Sources

  • U.S. Attorney’s Office, D.C.: “Justice Department Announces Coordinated Actions to Disrupt the Operations of BlackSuit (Royal) Ransomware” (Aug. 11, 2025). Department of Justice
  • CISA/FBI: #StopRansomware: BlackSuit (Royal) Ransomware (updated 2024). CISA
  • CISA: Royal actors rebrand as BlackSuit (Aug. 7, 2024). CISA
  • TechRadar Pro / Axios roundups on victim counts and seizure details. TechRadarAxios

Related Topics:

Trending

Exit mobile version