International Law Enforcement Seizes Ransomware Operation Site

In a significant development against cybercrime, law enforcement agencies from multiple countries have successfully disrupted the operations of the ransomware group known as Blacksuit. This action, part of a coordinated initiative dubbed 'Operation Checkmate', has temporarily halted the gang's extortion activities by seizing their infrastructure on the Darknet.

The group, previously recognized as Royal, has been active since 2022 and rebranded to Blacksuit in August 2024, a common tactic employed by criminal organizations to evade law enforcement scrutiny. The authorities have placed a notice on the seized site, indicating that the domain has been confiscated.

Blacksuit is notorious for employing a double extortion strategy: they first steal sensitive data from companies and then demand ransom payments to prevent the public release of that information. According to cybersecurity reports, the group's ransom demands have ranged from one million to ten million US dollars, accumulating to over 500 million dollars in total demands as of August 2024.

The seizure of their Onion sites will force Blacksuit to reevaluate their operations. The extent of further law enforcement actions under 'Operation Checkmate' remains unclear, with no reports of arrests or additional measures disclosed at this time.

Meanwhile, the cybersecurity community is witnessing the rise of a new ransomware threat known as Chaos. Researchers from Cisco's Talos Intelligence Group have identified overlapping technical aspects between Chaos and Blacksuit, suggesting a possible connection. This could either indicate a rebranding of the existing group or the emergence of a new operation involving former members of Blacksuit.

Active since February 2025, Chaos operates under a Ransomware-as-a-Service model, allowing individuals with no technical expertise to participate in cyber extortion. However, its operations have faced challenges, as the domain used for initial contact has been seized by authorities, linked to a recently apprehended administrator of an underground forum.

Chaos targets both Windows and Linux systems, posing risks to Network Attached Storage (NAS) and ESXi environments. As of now, there have been no reported attacks against targets in Europe.

The ongoing cat-and-mouse dynamic between law enforcement and cybercriminals continues to evolve, raising questions about whether the Blacksuit gang will adapt or if some members have preemptively distanced themselves from the organization in anticipation of its downfall.