BlackSuit ransomware takedown nabs 4 servers, 9 domains, and $1 million in crypto

US authorities on Monday said last month's coordinated takedown of the BlackSuit ransomware gang led to the seizure of over a dozen servers and domains, plus over a million dollars worth of laundered cryptocurrency.

The notorious ransomware gang’s infrastructure was disrupted on July 24th, in an international operation led by the US Department of Homeland Security Investigations (HSI).

It is now being revealed that cyber authorities were able to dismantle a total of four servers and nine domains (plus other digital assets), including its main onion site, which had been replaced with a seizure banner last month.

“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Deputy Assistant Director Michael Prado for HSI’s Cyber Crimes Center (C3).

“This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable,” Prado said.

BlackSuit ransomware has wreaked havoc across critical infrastructure sectors and demanded over $500 million in ransom payments from hundreds of victims.

Striking a blow to its infrastructure and operations, the US Justice Department (DoJ) also revealed that approximately $1 million in laundered ransomware payments were also seized from the gang’s coffers, the US warrant shows.

“Some of those proceeds included approximately $1,091,453 in virtual currency (valued at the time of the theft), the agency said in the first detailed update released since the coordinated takedown.

Manufacturing, government, healthcare, public health, and commercial facilities are just some of the sectors BlackSuit has gone after since it began operating under the "Royal" moniker three years ago.

NSA officials say the “gang’s persistent targeting of US critical infrastructure" has been "a serious threat" to the public safety of the nation.

Justice Department Announces Coordinated Disruption Actions Against BlackSuit (Royal) Ransomware Operations

Law Enforcement Seizes Servers, Domains, and Approximately $1 Million In Laundered Proceeds Owned By BlackSuit (Royal) Ransomware

“The BlackSuit ransomware gang’s… pic.twitter.com/EIXS7X0Su3

undefined National Security Division, U.S. Dept of Justice (@DOJNatSec) August 11, 2025

Part of Operation Checkmate, the July takedown included 16 other participants, including Europol, the UK National Crime Agency, the Office of Foreign Assets Control (OFAC), cybersecurity firm Bitdefender, as well as agencies from Ukraine, Lithuania, Canada, Ireland, Germany, and France.

Rebranding is the name of the game

Although it appears BlackSuit infrastructure has been decimated, security researchers believe that former BlackSuit criminals are already operating under a new name: Chaos ransomware.

According to a Cisco Talos blog from July 24th, ironically published the same day as the BlackSuit takedown, the new ransomware-as-a-service operation has been active since February, targeting organizations with similar "big-game hunting and double extortion attacks."

“The new group is likely former members of the BlackSuit (Royal) gang, based on similarities in the ransomware's encryption methodology, ransom note structure, and the toolset used in the attacks,” the researchers assess with moderate confidence.

The threat actor promotes its ransomware platform, allegedly capable of targeting Windows, ESXi, Linux, and NAS systems, to potential affiliates on the dark web in a Russian-speaking cybercriminal forum.

The Talos researchers further emphasize that the new Chaos ransomware gang has nothing in common with the previous ransomware builder tool with the same name or its developers. They say the criminals reuse the name to hide their identity and confuse security researchers.

Chaos has listed over 18 victims on its leak site as of Monday, demanding ransoms upwards of $300,000. Victims are given a choice: pay to receive a decryptor application along with a “detailed report of the penetration test conducted on the victim's environment,” or face public data exposure and DDoS attacks if negotiations fail.

In May, the cybercriminal gang claimed the Salvation Army, eventually leaking the charotiy's data on its victim site.

More about BlackSuit and its extortion demands

The BlackSuit ransomware cartel, operating as Royal, emerged on the cyber scene in early 2022 after claiming the UK’s Silverstone Formula One motor racing circuit.

The gang is said to be made up of a hodgepodge of former threat actors from other Russian-linked cyber gangs, including the Conti group, and before creating their own Royal ransomware, would utilize other third-party variants, including BlackCat and Zeon.

By the end of 2023, after its name change to BlackSuit, the gang was reported to have extorted more than $275 million from at least 350 known victims, according to the US Cybersecurity and Infrastructure Security Agency (CISA). In 2024, the gang claimed at least 144 victims.

BlackSuit ransom demands have reportedly ranged from approximately $1 million to $11 million in Bitcoin, to be paid through a darknet website.

In 2023, one victim was found to have paid a ransom of 49.3120227 Bitcoin to decrypt their data. This ransom was said to be worth $1,445,454.86 at the time of the transaction.

It was also discovered that “a portion of those proceeds ($1,091,453) was repeatedly deposited and withdrawn into a virtual currency exchange account until the funds were frozen by that exchange on or about January 9th, 2024,” the DoJ said.

The initial rebrand also prompted US authorities to release an updated joint advisory last August, detailing the gang’s tactics, techniques, and procedures (TTPs).

Notorious for data exfiltration and extortion prior to encryption, the group is known to use phishing emails to gain initial access to its victims' networks.

In 2024, victims included the automotive software provider CDK Global, software solutions provider Young Consulting, South Carolina’s Kershaw County School District, the Kansas City Police Department, and the Kansas City Hospice.

Additionally, the gang made waves in 2023 by hacking the City of Dallas, Texas, shutting down the municipality for weeks and affecting the Dallas Police and Fire Departments.