BlackSuit’s technical infrastructure was seized in a globally coordinated takedown operation last month that authorities touted as a significant blow in the fight against cybercrime. The ransomware group’s leak site has displayed a seizure notice since July 24.

The takedown followed a long investigation, which allowed authorities to confiscate “considerable amounts of data,” and identify 184 victims, German officials said in a news release last week. The group’s total extortion demands surpassed $500 million by August 2024, with demands typically in the range of $1 million to $10 million, the Cybersecurity and Infrastructure Security Agency said in an advisory last year. 

U.S. authorities were heavily involved in the operation, but have yet to share details about the investigation or its results. BlackSuit’s extortion site was seized by the Department of Homeland Security’s Homeland Security Investigation department, a unit of U.S. Immigration and Customs Enforcement. 

A spokesperson for ICE told CyberScoop the Justice Department has been waiting for court documents to be unsealed before releasing any information about the law enforcement action dubbed “Operation Checkmate.” The FBI, Secret Service, Europol and cyber authorities from the United Kingdom, Germany, France, Ireland, Ukraine, Lithuania and Romania-based cybersecurity firm Bitdefender were also involved in the operation. 

German officials said the takedown prevented the spread of malware and disrupted BlackSuit’s servers and communication. BlackSuit’s data leak site contained more than 150 entries before the takedown, Bitdefender said in a blog post. 

The majority of BlackSuit’s victims were based in the U.S. and the industries most impacted by the ransomware group’s attacks included manufacturing, education, health care and construction, according to Bitdefender. The company did not respond to a request for comment.

While BlackSuit once commanded outsized attention for its consistent spree of attacks, researchers said the ransomware group’s activities significantly decreased starting in December and remained low until its infrastructure was disrupted last month.

BlackSuit associates were already dispersed prior to the global law enforcement action on the group’s operations. 

The impact from the takedown will be limited because members already abandoned the BlackSuit brand early this year, Yelisey Boguslavskiy, co-founder and partner at RedSense, told CyberScoop. 

BlackSuit’s reputation plummeted as victims learned of the group’s Russian cybercrime lineage and declined to pay extortion demands out of fear that any financial support would evade sanctions imposed by the Treasury Department’s Office of Foreign Assets Control, he said.

As part of that pivot, former BlackSuit members have primarily used INC ransomware and its associated infrastructure this year. 

“It’s not that they were concisely preparing for the takedown. Instead, they just felt brand fatigue,” Boguslavskiy said. “They are very prone to rebranding often. It was two years without a rebrand, so the one was coming, and in the meantime, they were using INC as a newer name without baggage.”

BlackSuit emerged from the Conti ransomware group after a major leak of Conti’s internal messages led to a break up in 2022. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024.

The empowerment of INC is the “most important development in the Russian-speaking ransomware landscape, and the fact that now BlackSuit will double down on using their infrastructure is very concerning,” Boguslavskiy said. 

The ransomware syndicate is composed of about 40 people, led by “Stern,” who has established a massive system of alliances, forming a decentralized collective with links to other ransomware groups, including Akira, ALPHV, REvil, Hive and LockBit, according to Boguslaviskiy. 

INC is currently the second largest Russian-speaking ransomware collective behind DragonForce, he said. 

BlackSuit was prolific, claiming more than 180 victims on its dedicated leak site dating back to May 2023, according to researchers at Sophos Counter Threat Unit. 

The ransomware group’s main members have demonstrated their ability to rebrand and relaunch operations with ease. “It is likely that this latest takedown will have minimal impact on the ability of the individuals behind it to reorganize under a new banner,” Sophos CTU said in a research note.

Former members of BlackSuit emerged under a new ransomware group, Chaos, as early as February, Cisco Talos Incident Response researchers said in a blog post released the same day BlackSuit’s technical infrastructure was seized. Chaos targets appear to be opportunistic and victims are primarily based in the U.S., according to Talos.

The FBI seized cryptocurrency allegedly controlled by a member of the Chaos ransomware group in April, the Justice Department said in a civil complaint seeking the forfeiture of the cryptocurrency last month. Officials said the seized cryptocurrency was valued at more than $1.7 million when it was seized in mid-April.

The post Details emerge on BlackSuit ransomware takedown appeared first on CyberScoop.

========================= [Want to discuss this further? Hit me up on Twitter or LinkedIn] [Subscribe to the RSS feed for this blog] [Subscribe to the Weekly Microsoft Sentinel Newsletter] [Subscribe to the Weekly Microsoft Defender Newsletter] [Learn KQL with the Must Learn KQL series and book]

========================= [Want to discuss this further? Hit me up on Twitter or LinkedIn] [Subscribe to the RSS feed for this blog] [Subscribe to the Weekly Microsoft Sentinel Newsletter] [Subscribe to the Weekly Microsoft Defender Newsletter] [Learn KQL with the Must Learn KQL series and book]

========================= [Want to discuss this further? Hit me up on Twitter or LinkedIn] [Subscribe to the RSS feed for this blog] [Subscribe to the Weekly Microsoft Sentinel Newsletter] [Subscribe to the Weekly Microsoft Defender Newsletter] [Learn KQL with the Must Learn KQL series and book]

========================= [Want to discuss this further? Hit me up on Twitter or LinkedIn] [Subscribe to the RSS feed for this blog] [Subscribe to the Weekly Microsoft Sentinel Newsletter] [Subscribe to the Weekly Microsoft Defender Newsletter] [Learn KQL with the Must Learn KQL series and book]

Want to learn how attackers bypass endpoint products? Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_SacredCashCowTipping2020.pdf 3:41 – Alternate Interpreters 9:19 – Carbon Black Config Issue 15:07 – Cisco […]

The post Webcast: Sacred Cash Cow Tipping 2020 appeared first on Black Hills Information Security, Inc..

Do your PowerShell scripts keep getting caught? Tired of dealing with EDRs & Windows Defender every time you need to pop a box?  In this one-hour podcast, originally recorded as […]

The post BHIS PODCAST: Endpoint Security Got You Down? No PowerShell? No Problem. appeared first on Black Hills Information Security, Inc..

Do your PowerShell scripts keep getting caught? Tired of dealing with EDRs & Windows Defender every time you need to pop a box?  In this one-hour webcast, we introduce a somewhat […]

The post Webcast: Endpoint Security Got You Down? No PowerShell? No Problem. appeared first on Black Hills Information Security, Inc..

Carrie Roberts //* (Updated 2/12/2020) ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential […]

The post Getting PowerShell Empire Past Windows Defender appeared first on Black Hills Information Security, Inc..

Kent Ickler & Jordan Drysdale // BHIS Webcast and Podcast This post accompanies BHIS’s webcast recorded on August 7, 2018, Active Directory Best Practices to Frustrate Attackers, which you can view below. […]

The post Active Directory Best Practices to Frustrate Attackers: Webcast & Write-up appeared first on Black Hills Information Security, Inc..

Carrie Roberts // * Would you like to run Mimikatz without Anti-Virus (AV) detecting it? Recently I attempted running the PowerShell script “Invoke-Mimikatz” from PowerSploit on my machine but it was […]

The post How to Bypass Anti-Virus to Run Mimikatz appeared first on Black Hills Information Security, Inc..

========================= [Want to discuss this further? Hit me up on Twitter or LinkedIn] [Subscribe to the RSS feed for this blog] [Subscribe to the Weekly Microsoft Sentinel Newsletter] [Subscribe to the Weekly Microsoft Defender Newsletter] [Learn KQL with the Must Learn KQL series and book]