Over a million dollars’ worth of cryptocurrency assets laundered by or on behalf of the notorious BlackSuit ransomware gang – previously known as Royal – were seized ahead of a multinational takedown operation in July, led by the US authorities with support from the UK’s National Crime Agency (NCA) and cyber cops from Canada, France, Germany, Ireland, Lithuania and Ukraine.
Operation Checkmate, which took place on 24 July, saw a coordinated action that took four servers and nine domains offline for good. The US Department of Justice (DoJ) has revealed that this week, a warrant for the seizure of crypto assets valued at $1.09m (£800,000) was unsealed by the US Attorney’s Offices for the Eastern District of Virginia and the District of Columbia. The seizure itself took place some months ago.
The funds in question were paid out on or around 4 April 2023 by a victim who handed over 49.31 bitcoin in exchange for the BlackSuit gang agreeing to decrypt. The payment was worth about $1.45m at the time. A portion of this total was repeatedly deposited and withdrawn into a virtual currency exchange account, before being frozen by the exchange in January 2024.
“Disrupting ransomware infrastructure is not only about taking down servers – it’s about dismantling the entire ecosystem that enables cyber criminals to operate with impunity,” said Michael Prado, deputy assistant director of the Cyber Crimes Center at Homeland Security Investigations (HIS), the investigative branch of the federal government Department of Homeland Security (DHS).
“This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable,” said Prado.
HSI Washington DC acting special agent in charge Christopher Heck added: “This investigation reflects the full reach of HSI’s cyber mission and our commitment to protecting victims – whether they’re small businesses, school systems, or hospitals. We will continue to target the infrastructure, finances and operators behind these ransomware groups to ensure they have nowhere left to hide.”
This investigation reflects the full reach of HSI’s cyber mission and our commitment to protecting victims. We will continue to target the infrastructure, finances and operators behind these ransomware groups to ensure they have nowhere left to hide Christopher Heck, Homeland Security Investigations
A prolific ransomware actor, BlackSuit was likely comprised of individuals with historic links to the Conti gang. It first surfaced in early 2022, likely acting as an affiliate of other gangs, before emerging as Royal with its own encryptor that autumn. It went on to rebrand as BlackSuit following a major attack on the City of Dallas in Texas, but it then lay quiet until last summer, when it started to ramp up the tempo of its attacks again.
During its operational life, it is thought that BlackSuit attacked almost 500 victims in the US alone and extorted over $370m in payments.
Its targeting included victims in many critical infrastructure sectors, such as government bodies, healthcare and manufacturing. As noted, one of its most noteworthy victims was the City of Dallas, which was attacked in spring 2023.
In this infamous incident, the gang was able to gain access to the city government’s systems using a stolen account, and exfiltrated over a terabyte’s worth of files over a four-week period, before executing its ransomware payload.
While BlackSuit operated a fairly standard double encryption business model, it was somewhat noteworthy in its approach to encrypting its victims’ data, using a partial encryption approach that allowed its operators to choose how much data in a file to encrypt. This tactic meant the gang could work quicker and evade detection.
The outlook is still Chaos
Notwithstanding the success of the joint operation, ransomware actors are notoriously difficult to pin down and, when cornered, have a frustrating habit of melting into the shadows and re-emerging with a new identity further down the line.
In the case of BlackSuit, the gang’s next rebrand may already be in progress. In late July, researchers at Cisco Talos published intelligence linking an emergent ransomware-as-a-service (RaaS) operation dubbed Chaos to former BlackSuit operatives.
In their assessment, the Cisco Talos team said it was likely that based on similarities in tactics, techniques and procedures (TTPs) – including encryption commands, the broad theme and structure of its ransom note, and the use of similar tools in its attacks – Chaos was “either a rebranding of the BlackSuit ransomware or operated by some of its former members”.
