BlackSuit’s technical infrastructure was seized in a globally coordinated takedown operation last month that authorities touted as a significant blow in the fight against cybercrime. The ransomware group’s leak site has displayed a seizure notice since July 24.

The takedown followed a long investigation, which allowed authorities to confiscate “considerable amounts of data,” and identify 184 victims, German officials said in a news release last week. The group’s total extortion demands surpassed $500 million by August 2024, with demands typically in the range of $1 million to $10 million, the Cybersecurity and Infrastructure Security Agency said in an advisory last year. 

U.S. authorities were heavily involved in the operation, but have yet to share details about the investigation or its results. BlackSuit’s extortion site was seized by the Department of Homeland Security’s Homeland Security Investigation department, a unit of U.S. Immigration and Customs Enforcement. 

A spokesperson for ICE told CyberScoop the Justice Department has been waiting for court documents to be unsealed before releasing any information about the law enforcement action dubbed “Operation Checkmate.” The FBI, Secret Service, Europol and cyber authorities from the United Kingdom, Germany, France, Ireland, Ukraine, Lithuania and Romania-based cybersecurity firm Bitdefender were also involved in the operation. 

German officials said the takedown prevented the spread of malware and disrupted BlackSuit’s servers and communication. BlackSuit’s data leak site contained more than 150 entries before the takedown, Bitdefender said in a blog post. 

The majority of BlackSuit’s victims were based in the U.S. and the industries most impacted by the ransomware group’s attacks included manufacturing, education, health care and construction, according to Bitdefender. The company did not respond to a request for comment.

While BlackSuit once commanded outsized attention for its consistent spree of attacks, researchers said the ransomware group’s activities significantly decreased starting in December and remained low until its infrastructure was disrupted last month.

BlackSuit associates were already dispersed prior to the global law enforcement action on the group’s operations. 

The impact from the takedown will be limited because members already abandoned the BlackSuit brand early this year, Yelisey Boguslavskiy, co-founder and partner at RedSense, told CyberScoop. 

BlackSuit’s reputation plummeted as victims learned of the group’s Russian cybercrime lineage and declined to pay extortion demands out of fear that any financial support would evade sanctions imposed by the Treasury Department’s Office of Foreign Assets Control, he said.

As part of that pivot, former BlackSuit members have primarily used INC ransomware and its associated infrastructure this year. 

“It’s not that they were concisely preparing for the takedown. Instead, they just felt brand fatigue,” Boguslavskiy said. “They are very prone to rebranding often. It was two years without a rebrand, so the one was coming, and in the meantime, they were using INC as a newer name without baggage.”

BlackSuit emerged from the Conti ransomware group after a major leak of Conti’s internal messages led to a break up in 2022. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024.

The empowerment of INC is the “most important development in the Russian-speaking ransomware landscape, and the fact that now BlackSuit will double down on using their infrastructure is very concerning,” Boguslavskiy said. 

The ransomware syndicate is composed of about 40 people, led by “Stern,” who has established a massive system of alliances, forming a decentralized collective with links to other ransomware groups, including Akira, ALPHV, REvil, Hive and LockBit, according to Boguslaviskiy. 

INC is currently the second largest Russian-speaking ransomware collective behind DragonForce, he said. 

BlackSuit was prolific, claiming more than 180 victims on its dedicated leak site dating back to May 2023, according to researchers at Sophos Counter Threat Unit. 

The ransomware group’s main members have demonstrated their ability to rebrand and relaunch operations with ease. “It is likely that this latest takedown will have minimal impact on the ability of the individuals behind it to reorganize under a new banner,” Sophos CTU said in a research note.

Former members of BlackSuit emerged under a new ransomware group, Chaos, as early as February, Cisco Talos Incident Response researchers said in a blog post released the same day BlackSuit’s technical infrastructure was seized. Chaos targets appear to be opportunistic and victims are primarily based in the U.S., according to Talos.

The FBI seized cryptocurrency allegedly controlled by a member of the Chaos ransomware group in April, the Justice Department said in a civil complaint seeking the forfeiture of the cryptocurrency last month. Officials said the seized cryptocurrency was valued at more than $1.7 million when it was seized in mid-April.

The post Details emerge on BlackSuit ransomware takedown appeared first on CyberScoop.

Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America’s largest Internet service providers (ISPs).

The findings come in a report examining how the Russian invasion has affected Ukraine’s domestic supply of Internet Protocol Version 4 (IPv4) addresses. Researchers at Kentik, a company that measures the performance of Internet networks, found that while a majority of ISPs in Ukraine haven’t changed their infrastructure much since the war began in 2022, others have resorted to selling swathes of their valuable IPv4 address space just to keep the lights on.

For example, Ukraine’s incumbent ISP Ukrtelecom is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war, Kentik found. Although much of that former IP space remains dormant, Ukrtelecom told Kentik’s Doug Madory they were forced to sell many of their address blocks “to secure financial stability and continue delivering essential services.”

“Leasing out a portion of our IPv4 resources allowed us to mitigate some of the extraordinary challenges we have been facing since the full-scale invasion began,” Ukrtelecom told Madory.

Madory found much of the IPv4 space previously allocated to Ukrtelecom is now scattered to more than 100 providers globally, particularly at three large American ISPs — Amazon (AS16509), AT&T (AS7018), and Cogent (AS174).

Another Ukrainian Internet provider — LVS (AS43310) — in 2022 was routing approximately 6,000 IPv4 addresses across the nation. Kentik learned that by November 2022, much of that address space had been parceled out to over a dozen different locations, with the bulk of it being announced at AT&T.

Ditto for the Ukrainian ISP TVCOM, which currently routes nearly 15,000 fewer IPv4 addresses than it did at the start of the war. Madory said most of those addresses have been scattered to 37 other networks outside of Eastern Europe, including Amazon, AT&T, and Microsoft.

The Ukrainian ISP Trinity (AS43554) went offline in early March 2022 during the bloody siege of Mariupol, but its address space eventually began showing up in more than 50 different networks worldwide. Madory found more than 1,000 of Trinity’s IPv4 addresses suddenly appeared on AT&T’s network.

Why are all these former Ukrainian IP addresses being routed by U.S.-based networks like AT&T? According to spur.us, a company that tracks VPN and proxy services, nearly all of the address ranges identified by Kentik now map to commercial proxy services that allow customers to anonymously route their Internet traffic through someone else’s computer.

From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer. These services can be used for several business purposes, such as price comparisons, sales intelligence, web crawlers and content-scraping bots. However, proxy services also are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

IPv4 address ranges are always in high demand, which means they are also quite valuable. There are now multiple companies that will pay ISPs to lease out their unwanted or unused IPv4 address space. Madory said these IPv4 brokers will pay between $100-$500 per month to lease a block of 256 IPv4 addresses, and very often the entities most willing to pay those rental rates are proxy and VPN providers.

A cursory review of all Internet address blocks currently routed through AT&T — as seen in public records maintained by the Internet backbone provider Hurricane Electric — shows a preponderance of country flags other than the United States, including networks originating in Hungary, Lithuania, Moldova, Mauritius, Palestine, Seychelles, Slovenia, and Ukraine.

Asked about the apparent high incidence of proxy services routing foreign address blocks through AT&T, the telecommunications giant said it recently changed its policy about originating routes for network blocks that are not owned and managed by AT&T. That new policy, spelled out in a February 2025 update to AT&T’s terms of service, gives those customers until Sept. 1, 2025 to originate their own IP space from their own autonomous system number (ASN), a unique number assigned to each ISP (AT&T’s is AS7018).

“To ensure our customers receive the best quality of service, we changed our terms for dedicated internet in February 2025,” an AT&T spokesperson said in an emailed reply. “We no longer permit static routes with IP addresses that we have not provided. We have been in the process of identifying and notifying affected customers that they have 90 days to transition to Border Gateway Protocol routing using their own autonomous system number.”

Ironically, the co-mingling of Ukrainian IP address space with proxy providers has resulted in many of these addresses being used in cyberattacks against Ukraine and other enemies of Russia. Earlier this month, the European Union sanctioned Stark Industries Solutions Inc., an ISP that surfaced two weeks before the Russian invasion and quickly became the source of large-scale DDoS attacks and spear-phishing attempts by Russian state-sponsored hacking groups. A deep dive into Stark’s considerable address space showed some of it was sourced from Ukrainian ISPs, and most of it was connected to Russia-based proxy and anonymity services.

Spur’s Chief Technology Officer Riley Kilmer said AT&T’s policy change will likely force many proxy services to migrate to other U.S. providers that have less stringent policies.

“AT&T is the first one of the big ISPs that seems to be actually doing something about this,” Kilmer said. “We track several services that explicitly sell AT&T IP addresses, and it will be very interesting to see what happens to those services come September.”

Still, Kilmer said, there are several other large U.S. ISPs that continue to make it easy for proxy services to bring their own IP addresses and host them in ranges that give the appearance of residential customers. For example, Kentik’s report identified former Ukrainian IP ranges showing up as proxy services routed by Cogent Communications (AS174), a tier-one Internet backbone provider based in Washington, D.C.

Kilmer said Cogent has become an attractive home base for proxy services because it is relatively easy to get Cogent to route an address block.

“In fairness, they transit a lot of traffic,” Kilmer said of Cogent. “But there’s a reason a lot of this proxy stuff shows up as Cogent: Because it’s super easy to get something routed there.”

Cogent declined a request to comment on Kentik’s findings.