BlackSuit, Royal ransomware group hit over 450 US victims before last month’s takedown
LAS VEGAS — The Russian cybercrime group behind BlackSuit and Royal ransomware was more prolific and successful at extorting payments from its victims than previously known, according to an update Thursday from an investigative unit inside the Department of Homeland Security.
“Since 2022, the Royal and BlackSuit ransomware groups have compromised over 450 known victims in the United States, including entities in healthcare, education, public safety, energy and government sectors,” said a report from Homeland Security Investigations, which operates out of U.S. Immigration and Customs Enforcement. “Combined, the groups have received more than $370 million in ransom payments, based on present-day valuations of cryptocurrency.”
BlackSuit’s technical infrastructure, including servers, domains and tools used to deploy ransomware, extort victims and launder proceeds, was seized and dismantled in a globally coordinated takedown operation last month. BlackSuit’s leak site has displayed a seizure notice since July 24, but U.S. officials waited two weeks to publicly acknowledge the international takedown.
“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” Michael Prado, deputy assistant director of HSI’s Cyber Crimes Center, said in a statement.
German officials involved in the takedown previously said they identified 184 BlackSuit victims. The group’s combined take from victim extortions was unknown, but in an advisory last year the Cybersecurity and Infrastructure Security Agency said BlackSuit’s total extortion demands surpassed $500 million by August 2024.
“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” John A. Eisenberg, assistant attorney general for national security, said in a statement. The majority of BlackSuit’s victims were based in the U.S.
While BlackSuit once commanded outsized attention for its consistent spree of attacks, researchers said the ransomware group’s activities significantly decreased starting in December and remained low until its infrastructure was disrupted last month.
The impact from the takedown will be limited because BlackSuit associates were already dispersed and abandoned the BlackSuit brand prior to the global law enforcement action on the group’s operations, Yelisey Boguslavskiy, co-founder and partner at RedSense, told CyberScoop.
Former BlackSuit members have primarily used INC ransomware and its associated infrastructure this year, according to Boguslavskiy.
BlackSuit emerged from the Conti ransomware group after a major leak of Conti’s internal messages led to a break up in 2022. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024.
