U.S. authorities have set their sights on another ransomware outfit, targeting the BlackSuit group, which has been active since 2022 and is linked to more than $370 million in ransom demands.
On Monday, the Justice Department announced the seizure of four servers, nine domains, and roughly $1.09 million in cryptocurrency connected to BlackSuit. The operation, carried out in coordination with U.S. and international partners, marked a significant step in disrupting the group’s activities.
The July 24 takedown brought together a broad coalition of agencies, including Homeland Security Investigations, the Secret Service, IRS Criminal Investigation, and the FBI, along with law enforcement from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
Authorities also revealed a federal warrant to seize the cryptocurrency, which had been frozen earlier this year by an undisclosed exchange.
BlackSuit Targeted Critical U.S. Infrastructure
BlackSuit, active since at least 2022, originated as a spinoff of the Royal ransomware gang — a group already notorious for large-scale extortion campaigns against critical infrastructure. Investigators report that the group adopted the BlackSuit name in 2023, continuing to use many of Royal’s established tactics, techniques, and tools.
Since then, BlackSuit has built its own notoriety in the cybercrime underground, targeting large organizations with ransom demands typically ranging from $1 million to $10 million, and in one instance reaching an unprecedented $60 million.
The gang also maintained a darknet portal to showcase stolen sensitive data, threatening public release if victims refused to pay.
By late 2023, the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint advisory warning that BlackSuit possessed the capabilities to strike sectors where an attack could cause maximum disruption.
The group has targeted critical U.S. infrastructure, frequently hitting healthcare providers, government agencies, manufacturing facilities, and commercial operators. In many cases, victims were locked out of essential systems while facing threats that stolen sensitive data would be publicly leaked.
In one 2023 incident, an unnamed organization paid 49.3 Bitcoin—about $1.44 million at the time—to regain access to its systems following a BlackSuit breach, according to the Justice Department.
Part of that ransom, totaling $1.09 million, was seized during the recent takedown after months of investigation. Authorities estimate that since 2022, BlackSuit has compromised more than 450 known victims in the United States alone.
U.S. Cracks Down on Ransomware Gangs
The U.S. has stepped up its fight against ransomware through a combination of sanctions and enforcement actions, describing its strategy in today’s announcement as a “disruption-first” approach.
Earlier this year, as reported by crypto.news, the U.S., UK, and Australia jointly sanctioned Russian hosting provider Zservers and its operators for supplying bulletproof hosting services to the LockBit ransomware gang.
Just last month, the Justice Department launched a forfeiture action to reclaim $2.3 million in Bitcoin from a member of the Chaos ransomware group, following the FBI’s Dallas division seizure of 20 BTC from a Chaos-linked wallet.
