U.S. seizes servers and $1.09m in crypto linked to BlackSuit ransomware gang

Another ransomware gang is in U.S. crosshairs, with authorities moving against the BlackSuit group, active since 2022 and linked to more than $370 million in ransom demands.

On Monday, the Justice Department said it seized four servers, nine domains, and about $1.09 million in cryptocurrency tied to BlackSuit, working with U.S. and international partners to carry out the raid.

The July 24 takedown drew in a broad coalition of agencies, from Homeland Security Investigations and the Secret Service to IRS Criminal Investigation and the FBI, alongside law enforcement from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania.

Officials also unsealed a federal warrant to seize the cryptocurrency, which an unnamed exchange had frozen earlier this year.

BlackSuit’s targeted critical U.S. infrastructure

BlackSuit, active since at least 2022, emerged as a spinoff of the Royal ransomware gang, a group already known for large-scale extortion campaigns against critical infrastructure. Investigators say the group began operating under the BlackSuit name in 2023 and was found to be using many of Royal’s tactics, techniques, and tools.

Over time, it built its own reputation in the cybercrime world for targeting large organizations with ransom demands ranging from $1 million to $10 million, and in one case, as high as $60 million. 

The group also operated a portal on the darknet where it listed sensitive stolen data set to be released to the public if victims did not pay the ransom.

By late 2023, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a joint advisory that BlackSuit had the tools and tactics to hit sectors where an attack could cause the most disruption.

BlackSuit has struck critical infrastructure within the U.S., often hitting healthcare providers, government facilities, manufacturing plants, and commercial operators. Victims usually found themselves locked out of vital systems while facing the threat of sensitive data leaks.

In 2023, an unnamed organization paid 49.3 Bitcoin, worth about $1.44 million at the time, to regain control of its systems after a BlackSuit breach, according to the DOJ.

A portion of that ransom payment became the $1.09 million that was seized during the takedown after months of investigation. Authorities estimate that since 2022, BlackSuit has compromised over 450 known victims in the United States alone.

US moves against ransomware gangs

The U.S. has been actively fighting back against ransomware attacks through sanctions and enforcement actions, describing this in today’s announcement as a “disruption-first” approach.

As previously reported by crypto.news, earlier this year the U.S., UK, and Australia jointly sanctioned Russian hosting provider Zservers and its operators for offering bulletproof hosting to the LockBit ransomware gang.

Last month, the Justice Department filed a forfeiture action to recover $2.3 million in Bitcoin from a member of the Chaos ransomware group after the FBI’s Dallas division seized 20 BTC from a Chaos-linked address the same month.