Ransomware Organization BlackSuit's Hidden Web Domains Apprehended During Operation Checkmate
In the ever-evolving world of cybercrime, a new player has emerged in the form of the ransomware group known as BlackSuit. This group, which first appeared in May 2023, has been linked to several high-profile cyber-attacks in the past two years.
According to reports, BlackSuit is believed to be a rebrand from the Royal ransomware gang, a successor to the infamous Conti group, active from December 2019 until its dissolution in June 2022. Following Conti's disbandment, its members dispersed into various factions, with some forming the Royal ransomware group in early 2022.
The similarities in techniques, tactics, and procedures (TTPs) between BlackSuit and a group known as Chaos are striking. Both groups have been observed using legitimate remote monitoring and management software to maintain persistence in victim networks. The encryption commands, the theme and structure of the ransom note, and the use of LOLbins and remote monitoring management (RMM) tools in their attacks are all strikingly similar.
Talos, a cybersecurity research organisation, assesses with moderate confidence that Chaos is either a rebranding of BlackSuit or operated by some of its former members. However, specific, publicly confirmed information about who exactly is behind Chaos if it is not BlackSuit is not provided in the available sources.
BlackSuit's modus operandi involves double extortion tactics, encrypting victims' data and threatening to release it publicly unless a ransom is paid. This group has claimed 184 victims, according to Ransomware.live, and has been involved in several significant cyber-attacks, including the attack on Octapharma Plasma in April 2024 and the attack on CDK Global in June 2024.
The ransom demands typically ranged from $1m to $10m in Bitcoin, with the highest recorded demand being at $60m, as reported by the US Cybersecurity and Infrastructure Security Agency (CISA) in August 2024.
Operation Checkmate, a joint operation allegedly involving the U.S. Secret Service, the Dutch National Police, the German Federal Criminal Police Office, the UK National Crime Agency (NCA), the Frankfurt Public Prosecutor's Office, and the Ukrainian Cyber Police, is reported to have targeted BlackSuit's infrastructure. However, neither the NCA nor the DoJ have officially confirmed the takedown of BlackSuit's infrastructure at the time of writing.
Royal, another offshoot of the Conti group, gained notoriety for targeting US cities, such as the attack on the City of Dallas in May 2023. BlackSuit's attacks have been linked to organizations such as ZooTampa, the Brazilian government, Western Municipal Construction, and others.
In conclusion, BlackSuit, a successor to the notorious Conti ransomware group, has been active since May 2023. Its tactics, techniques, and procedures are strikingly similar to those of the group known as Chaos. BlackSuit has reportedly demanded over $500m from its victims within two years of activity, making it a significant threat in the world of cybercrime.
Read also:
- Trump announces agreement with Chinese authorities on TikTok deal
- List of 2025's Billionaire Video Game Moguls Ranked by Fortune
- Dynamic exchange of power and data is shaping the network of tomorrow
- Italy passes legislation regulating AI, focusing on privacy protection, supervision, and safeguards for minors
