The U.S. and international law enforcement agencies have dismantled servers and websites associated with the BlackSuit ransomware group, seizing approximately $1 million in cryptocurrency.
The operation, revealed by the Justice Department on Monday, targeted BlackSuit in late July and involved the confiscation of servers and domain names, along with the cryptocurrency assets. A warrant for the seizure, valued at just over $1 million at the time, was also unsealed.
“Disrupting ransomware infrastructure involves more than just taking down servers; it’s about dismantling the entire ecosystem that allows cybercriminals to operate without consequences,” stated Michael Prado, deputy assistant director at the Homeland Security Investigations Cyber Crimes Center.
BlackSuit, a spinoff of the Royal ransomware gang, has been active since at least 2023. This latest operation is part of broader U.S. efforts against ransomware groups, which included the sanctioning of the ransomware hosting provider Aeza Group in July.
The takedown was led by the U.S. Department of Homeland Security’s Homeland Security Investigations, collaborating with the Secret Service, IRS, FBI, and law enforcement agencies from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
The Justice Department noted that BlackSuit has persistently targeted critical infrastructure across various sectors, including healthcare, government, manufacturing, and commercial facilities. Victims are often coerced into paying ransoms in Bitcoin through darknet platforms.
Since 2022, BlackSuit has compromised over 450 known victims in the U.S. and has received more than $370 million in ransom payments. The group employed double-extortion tactics, encrypting victims’ systems while threatening to leak stolen data to compel payment, according to the DOJ.
Sample of BlackSuit ransom demand. Source: SentinelOne
“The persistent targeting of U.S. critical infrastructure by the BlackSuit ransomware gang poses a significant threat to public safety,” stated John Eisenberg, Assistant Attorney General for National Security.
In 2023, one victim paid a ransom of 49.3 BTC, equivalent to approximately $1.4 million at that time, to recover their data. A portion of this ransom, amounting to the seized $1 million, was repeatedly deposited and withdrawn from a cryptocurrency exchange account until the funds were frozen by the exchange in early 2024, though the specific exchange was not disclosed.
Ransom demands from BlackSuit have typically ranged from $1 million to $10 million in Bitcoin, with the highest demand reaching $60 million, according to the Cybersecurity and Infrastructure Security Agency.
In July, the FBI in Dallas announced the seizure of 20 BTC valued at around $2.4 million from a cryptocurrency address linked to a prominent member of the Chaos ransomware group.
Recently, analysts at TRM Labs investigated a new ransomware group called Embargo, which may have emerged as a successor to BlackCat. This group reportedly launders proceeds through cryptocurrency accounts, with about $18.8 million remaining dormant in unidentified wallets.
Source: Cointelegraph Edited By Bernie S.