BlackSuit ransomware gang’s darknet websites seized by police

The BlackSuit ransomware gang’s darknet extortion sites were seized on Thursday in an operation involving police from more than nine countries.

A splashpage replacing the gang’s list of victims on its main TOR domain as well as its private negotiation pages states these sites have “been seized by U.S. Homeland Security Investigations” as part of a coordinated international operation.

It features the logos of 17 law enforcement entities alongside the cybersecurity company Bitdefender, giving pole position to Homeland Security Investigations (HSI), a part of the Immigration and Customs Enforcement agency that focuses on transnational crime. HSI did not immediately respond to a request for comment.

The BlackSuit gang, which is believed to have been operational since April/May 2023, was a private ransomware group that did not license its tooling to other criminals like ransomware-as-a-service (RaaS) schemes.

It is believed to be a rebrand of the Royal ransomware, as an advisory from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) stated last year. The cybercriminals behind the Royal gang were believed to be connected to the Conti scheme, one of the most notorious and scrutinized communities in Russian cybercrime.

The joint advisory described BlackSuit as having demanded more than $500 million in extortion payments from its victims, which internationally are believed to include the Japanese medallion giant Kadokawa and Tampa Bay Zoo, one of the most popular zoos in the United States.

In April 2024, the gang claimed responsibility for an attack against the blood plasma collection organization Octapharma, which the American Hospital Association said “resulted in the temporary closure of almost 200 blood plasma collection centers” across the country.

Following the takedown, Cisco Talos Incident Response published research finding some of the BlackSuit gang had already gone on to form part of the Chaos ransomware scheme “based on similarities in the ransomware's encryption methodology, ransom note structure, and the toolset used in the attacks.”