Homeland Security Investigations (HSI), in partnership with U.S. and international law enforcement agencies, has dismantled the infrastructure behind BlackSuit ransomware, a major cybercriminal group and successor to Royal ransomware, in a coordinated global operation.
The action targeted the backbone of the group's operations, including servers, domains, and digital assets used to deploy ransomware, extort victims, and launder proceeds. According to U.S. Immigration and Customs Enforcement (ICE), the takedown demonstrates the value of cross-border collaboration in the fight against cybercrime. "These criminals thought they could hide behind their keyboards, but this operation proves that international partnerships can reach them anywhere," the agency said in its announcement.
While no arrests have been made, the removal of BlackSuit's operational infrastructure is a major disruption to a group responsible for high-impact ransomware campaigns. Craig Jones, Chief Security Officer at Ontinue, said the news is "a win for defenders" but warned that without arrests, "the operators behind BlackSuit still have the skills, infrastructure know-how, and hundreds of millions in funding to restart operations under a new name."
Since 2022, Royal and BlackSuit ransomware groups have compromised more than 450 known victims in the United States, targeting sectors such as healthcare, education, public safety, energy, and government. These attacks have brought in more than $370 million in cryptocurrency at current prices.
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, said targeting critical infrastructure naturally draws law enforcement attention. "Attacking critical infrastructure brings a rally cry for support," he explained, pointing to the role of highly-coordinated ISACs in enriching law enforcement investigations. BlackSuit also targeted manufacturing, technology, retail, and government organizations—industries that may have provided richer logging data to strengthen the case for a takedown.
Taking down ransomware infrastructure does more than just interrupt ongoing campaigns. Ford noted that it forces attackers into a costly, time-consuming rebuild. "There's something personal about having your infrastructure shut down; the humanity of asking, 'what do they know about us now?' will cause pause," Ford said. That hesitation, combined with the heightened cost and risk of rebuilding, could temporarily reduce attacks on these sectors.
BlackSuit emerged from the remnants of Royal ransomware, with Trend Micro reporting a 98% overlap in tactics, techniques, and procedures (TTPs) between the two groups. Experts expect that if the operators re-emerge under a new name, they will follow a similar operational model.
That's why Jones and Ford both stressed the need for ongoing defensive hardening, especially in sectors the group has previously targeted. Measures include securing privileged accounts, locking down lateral movement tools like PowerShell, and limiting Domain Admin privileges. Even as law enforcement celebrates this disruption, defenders should be preparing for the next wave.
Follow SecureWorld News for more stories related to cybersecurity.