Post

Global Law Enforcement Takedown of BlackSuit Ransomware Gang’s Darknet Sites

Posted
By Vitus White
3 min read
Global Law Enforcement Takedown of BlackSuit Ransomware Gang’s Darknet Sites

TL;DR

In a major operation, international law enforcement agencies, including U.S. Homeland Security, seized the dark web sites of the BlackSuit ransomware group. This gang, believed to be a rebrand of the Royal ransomware linked to the Conti cybercrime group, has been active since April 2023 and targeted critical infrastructure sectors. The operation highlights global efforts to combat ransomware threats.

Main Content

International Law Enforcement Seizes BlackSuit Ransomware Gang’s Darknet Sites

In a significant victory against cybercrime, an international law enforcement operation successfully seized the dark web data leak sites of the notorious BlackSuit ransomware group. Visitors to these sites are now greeted with a banner announcing the seizure by U.S. Homeland Security Investigations, featuring logos of 17 law enforcement agencies and cybersecurity firm Bitdefender 1.

Background on BlackSuit Ransomware

The BlackSuit ransomware group has been operational since April 2023. Unlike other Ransomware-as-a-Service (RaaS) operations, BlackSuit does not manage a network of affiliates. It is suspected to be a rebrand of the Royal ransomware, which has been linked to the Conti cybercrime group, a significant player in Russian cybercrime 2.

In August 2024, the FBI and CISA released a joint advisory on the BlackSuit ransomware group. This advisory detailed the group’s tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs). The advisory highlighted that BlackSuit is a rebrand of the legacy Royal ransomware and has targeted various critical infrastructure sectors, including commercial facilities, healthcare, government, and manufacturing 3.

Key Tactics and Techniques

The BlackSuit actors employ several methods to gain initial access to victim networks, including:

  • Phishing campaigns
  • Remote Desktop Protocol (RDP) exploits
  • Exploiting vulnerabilities in public-facing applications
  • Using initial access provided by access brokers
  • Harvesting VPN credentials from stealer logs

Historically, the group has used tools like Chisel, Secure Shell (SSH) clients (PuTTY, OpenSSH, MobaXterm) for command and control (C2) communications. They also utilize SharpShares and SoftPerfect NetWorx to map out victim networks. Credential theft is accomplished using Mimikatz and Nirsoft tools, while system processes are terminated using tools like PowerTool and GMER. Data exfiltration is carried out using post-exploitation tools such as Cobalt Strike and malware like Ursnif 4.

Ransom Demands and Negotiation Tactics

BlackSuit actors typically demand ransoms ranging from $1 million to $10 million USD in Bitcoin. Collectively, they have sought over $500 million, with the highest individual demand reaching $60 million. The group is open to negotiating payment amounts, which are discussed via a .onion URL provided after encryption. Recently, there has been an increase in direct communications, such as phone calls or emails, from BlackSuit actors. If the ransom is not paid, the gang publishes victim data on a Tor leak site 5.

Conclusion

The seizure of the BlackSuit ransomware gang’s darknet sites represents a significant milestone in global efforts to combat cybercrime. The FBI and CISA encourage organizations to implement the recommendations found in their advisory to reduce the likelihood and impact of ransomware incidents 6.

For more details, visit the full article: source

Additional Resources

For further insights, check:

References

  1. (2025, July 26). “Law enforcement operations seized BlackSuit ransomware gang’s darknet sites”. Security Affairs. Retrieved 2025-07-26. ↩︎

  2. (2023, April). “BlackSuit ransomware group’s TOR data leak sites”. Security Affairs. Retrieved 2025-07-26. ↩︎

  3. (2024, August). “Joint advisory on the BlackSuit Ransomware group”. Security Affairs. Retrieved 2025-07-26. ↩︎

  4. (2024, August). “BlackSuit ransomware targeted various critical infrastructure sectors”. Security Affairs. Retrieved 2025-07-26. ↩︎

  5. (2024, August). “BlackSuit actors typically demanded ransoms ranging from $1 million to $10 million USD”. Security Affairs. Retrieved 2025-07-26. ↩︎

  6. (2024, August). “FBI and CISA encourage organizations to implement the recommendations”. Security Affairs. Retrieved 2025-07-26. ↩︎

Cybersecurity & Data Protection, Malware
cybersecurity threat-intelligence darknet
This post is licensed under CC BY 4.0 by the author.