The U.S. Justice Department (DOJ) announced Monday that “critical infrastructure” used by the BlackSuit (Royal) ransomware group has been successfully dismantled.
A successor to the Royal ransomware group, BlackSuit is responsible for targeting more than 450 Americans in healthcare, education, public safety, energy and government sectors, and is linked to several worldwide attacks since 2022.
The co-ordinated takedown, dubbed “Operation Checkmate,” specifically targeted the Royal and BlackSuit ransomware groups, and was executed by U.S. Immigration and Customs Enforcement’s (ICE) under the Department of Homeland Security (DHS), along with the help of international law enforcement agencies from Canada, the U.K., Germany, Ireland, France, Ukraine, and Lithuania, ICE said in a news release.
The operation led to the seizure of four servers, nine domains and approximately US$1 million in laundered proceeds on July 24, in addition to virtual currency estimating around $1,091,453, which was seized around June 21, 2024, according to the DOJ.
The BlackSuit ransomware group and the Royal ransomware group have extorted a combined over $370 million in ransom payments, based on the current value of cryptocurrency, ICE said.
“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” Michael Prado, deputy assistant director for Homeland Security Investigation’s (HSI) Cyber Crimes Center (C3) said.
The groups used “double-extortion tactics” by first encrypting the victims’ operating systems, while threatening to leak stolen personal data to coerce them into paying.
“This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” William Mancino, special agent in charge of the U.S. Secret Service’s Criminal Investigative Division, stated in the news release.
Royal victims are typically required to pay ransoms in cryptocurrency by accessing a darknet website, the news release said.
According to the DOJ, one of the victims paid a ransom of 49.3120227 bitcoin on around April 4, 2023 – worth $1,445,454.86 at the time of the transaction, to decrypt their data. A part of that ransom was repeatedly deposited and withdrawn through a virtual currency account, which led to the funds being frozen around Jan. 9, 2024.
The U.S. Attorney’s Office for the Eastern District of Virginia continues to collaborate with international law agencies while they prosecute the case.
In a statement to CTVNews.ca Wednesday, an RCMP spokesperson said the National Cybercrime Coordination, or NC3, played a key role in the international takedown of the BlackSuit.
According to the RCMP, the NC3 provided technical support and expert advice to Canadian and global police partners involved in the coordinated disruption.
Working closely with the Delta Police department and other Canadian law enforcement agencies, the NC3 said it gathered and shared information on Canadian victims linked to the ransomware operation.
“Cybercrime is a borderless threat, capable of hitting victims scattered across Canada and around the globe,” the statement read. NC3 regularly collaborates with both domestic and foreign partners to reduce victimization and dismantle cybercriminal networks, it added.
Earlier in 2024, law agencies from around the world including the Federal Bureau of Investigation (FBI), Europol and the U.K.’s National Crime Agency worked together to dismantle a dark website connected to the Lockbit ransomware group which had extorted over $120 million in ransom from over 2,000 victims, globally. Dubbed “Operation Cronos,” the joint venture was part of an international drive to disrupt major cybercrime operations around the world.
With files from CTV News’ Dorcas Marfo
