Royal & BlackSuit Ransomware Attack 450+ US Firms
â–Ľ Summary
– The U.S. Department of Homeland Security (DHS) reported that the cybercrime gang behind Royal and BlackSuit ransomware breached over 450 U.S. companies and collected $370 million in ransom payments before being taken down.
– Homeland Security Investigations (HSI) and international partners dismantled the group’s infrastructure, seizing BlackSuit’s dark web domains in Operation Checkmate.
– The gang, originally linked to Quantum ransomware and Conti syndicate, rebranded as Royal in 2022 and later as BlackSuit in 2023, targeting sectors like healthcare and government.
– CISA and FBI confirmed Royal/BlackSuit used double-extortion tactics, demanding over $500 million from victims globally since 2022.
– Cisco Talos found evidence the group may rebrand again as Chaos ransomware, using similar tactics like voice-based social engineering and targeting local/remote storage.
A massive ransomware operation targeting over 450 U.S. organizations has been disrupted following an international law enforcement crackdown. The cybercriminal group behind both Royal and BlackSuit ransomware strains amassed more than $370 million in extorted payments before authorities dismantled their infrastructure last month.
Investigators from Homeland Security Investigations (HSI) revealed that the hackers infiltrated businesses across critical sectors, including healthcare, education, energy, and government agencies. Their attacks relied on double-extortion tactics, locking down systems while threatening to leak stolen data unless victims paid up. The U.S. Department of Justice confirmed the seizure of BlackSuit’s dark web domains, replacing them with law enforcement seizure notices as part of Operation Checkmate.
The group first emerged in early 2022 as Quantum ransomware, later rebranding to Royal before adopting the BlackSuit name in mid-2023. Analysts linked them to the infamous Conti syndicate, noting their shift from borrowed malware to custom-built encryption tools like Zeon. By late 2023, federal agencies confirmed that Royal and BlackSuit were the same entity, responsible for global attacks on 350+ organizations with ransom demands surpassing $275 million.
Recent intelligence suggests the group may be regrouping under yet another identity. Cisco Talos researchers uncovered signs that the hackers have resurfaced as Chaos ransomware, launching new ransomware-as-a-service (RaaS) campaigns. Unlike earlier variants, this latest iteration employs voice phishing (vishing) to gain initial access before deploying an encryptor capable of crippling both local and cloud-based storage.
While the name might suggest a connection to past Chaos ransomware strains, experts warn this is likely a deliberate misdirection. Tactical overlaps, including identical ransom notes, encryption methods, and abuse of legitimate IT tools, point to strong ties with the dismantled BlackSuit operation. Authorities continue monitoring the situation, anticipating further rebranding attempts by the persistent cybercrime network.
The takedown marks a significant victory, but the group’s adaptability underscores the ongoing challenges in combating ransomware threats. Businesses are urged to strengthen defenses against social engineering, maintain offline backups, and apply security patches promptly to mitigate risks.
(Source: Bleeping Computer)