Blacksuit ransomware: Law enforcement officials seize ransomware website
“Operation Checkmate” puts Blacksuit's ransom negotiations on hold, at least for now. Meanwhile, the possibly related ransomware Chaos continues to rage.
(Image: heise security / Screenshot)
The ransomware gang Blacksuit will probably have to do without income from extortion for now: A group of international law enforcement officers with German participation has paralyzed their darknet infrastructure as part of “Operation Checkmate”. “This domain has been seized,” announces the message placed by the investigators.
Blacksuit used to be called Royal and had been active under this name since 2022. It was then renamed in August 2024 – a popular strategy, especially when investigators are hot on the heels of gangsters.
Videos by heise
Like many other actors, Blacksuit uses a double extortion strategy: before encrypting, it exfiltrates sensitive data from companies and organizations to then blackmail them with the publication. According to an older security warning on Blacksuit from the Cybersecurity and Infrastructure Security Agency (CISA), the group's typical Bitcoin) demands range between one and ten million US dollars. In total (as of August 2024), the group has demanded over 500 million US dollars; numerous other extortion attempts are likely to have been added meanwhile.
Both the publication of exfiltrated data (and the threat thereof) and the ransom negotiations themselves took place via the onion sites that have now been seized. The group will therefore first have to reorganize. It also remains to be seen whether further measures as part of “Operation Checkmate” will affect their continued existence and operations. So far, nothing has become known about arrest warrants, house searches, or even arrests.
Weeds do not die: “Chaos” on the rise
Meanwhile, Cisco's Talos Intelligence Group is reporting increased activity from a fairly new ransomware called Chaos.
Interestingly, the researchers claim to have observed technical overlaps between Blacksuit and Chaos. There are said to be similarities in terms of the attack tools used as well as the encryption process and the content and structure of the ransom message. It is said to be either a rebranding of Blacksuit or a project involving former Blacksuit actors.
According to the researchers' analyses, Chaos has been active since February 2025 and follows a ransomware-as-a-service model that allows ambitious criminals without any prior technical knowledge to hire in. However, they are likely to encounter a small obstacle currently: the domain of the email address that Chaos uses to make contact has just been paralyzed by the authorities. It belongs to the recently arrested admin of the underground form XSS.
Chaos attacks both Windows and Linux systems and can also pose a threat to NAS and ESXi environments. Attacks on targets in Europe have not yet been reported.
Is the Blacksuit gang now operating undisturbed under the guise of a clone – or have some (well-informed) rats possibly abandoned the Blacksuit “ship” as a precaution anticipating its demise? We can only speculate about this for now. What is clear is that the cat-and-mouse game between investigators and cyber gangsters is entering the next round.
(ovw)
