BlackSuit, one of the world’s most notorious ransomware rings, has received a major blow. Authorities have seized the gang’s dark web extortion and data leak site, disrupting its operations.
BlackSuit ransomware has wreaked havoc across critical infrastructure sectors and demanded over $500 million in ransoms from hundreds of victims. Currently, its main site on the dark web has been replaced with a seizure banner.
The takedown is part of Operation Checkmate, a coordinated international law enforcement investigation led by US Homeland Security Investigations.
“This site has been seized by US Homeland Security Investigations as part of a coordinated international law enforcement investigation,” the banner reads.
It also lists 16 other participants in the operation, including Europol, the UK National Crime Agency, the Office of Foreign Assets Control (OFAC), cybersecurity firm Bitdefender, agencies from Ukraine, Lithuania, Canada, Ireland, Germany, and France.
BleepingComputer was the first to discover that BlackSuit ransomware no longer controls its data leak site and confirmed the takedown with an email from the Department of Justice.
Authorities have yet to release an official statement or detailed information about the takedown and the operation's accomplishments.
While BlackSuit's name is relatively new, with the first victim discovered in June 2023, it is suspected to be a rebrand of the infamous Royal ransomware gang, which was active between September 2022 and June 2023 and used similar code.
BlackSuit had listed over 180 victims on its seized data leak site, with the largest individual ransom demand of $60 million. Royal previously had listed over 200 victims.
The threat actor prompted authorities to release a joint advisory detailing the gang’s double extortion, encryption, data theft, and other techniques.
Another rebrand on the way
It seems that former BlackSuit criminals operate under a new name: Chaos ransomware.
According to the Cisco Talos Incident Response report, this new ransomware-as-a-service operation has been active since around February 2025 and targets organizations with similar “big-game hunting and double extortion attacks.”
“The new group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware's encryption methodology, ransom note structure, and the toolset used in the attacks,” the researchers assess with moderate confidence.
The threat actor promotes its ransomware platform, allegedly capable of targeting Windows, ESXi, Linux, and NAS systems, to potential affiliates on the dark web in a Russian-speaking cybercriminal forum.
The researchers emphasize that the new Chaos ransomware gang has nothing in common with the previous ransomware builder tool with the same name or its developers. The criminals reuse the name to hide their identity and confuse security researchers.
Chaos has listed 10 victims on its leak site, demanding ransoms of around $300,000. Victims are given a choice: pay to receive a decryptor application along with a “detailed report of the penetration test conducted on the victim's environment,” or face public data exposure and DDoS attacks if negotiations fail.
Your email address will not be published. Required fields are markedmarked