The Homeland Security Investigations (HSI) group of the Immigration and Customs Enforcement (ICE) agency on Aug. 7 claimed to have dismantled the BlackSuit ransomware gang — the successor to Royal ransomware.ICE said the operation, conducted in tandem with U.S. and international law enforcement partners, resulted in the seizures of servers, domains, and digital assets used to deploy ransomware, extort victims, and run money laundering operations.BlackSuit is best-known in the United States for the 2024 attacks on GDK Global’s car dealership software platform and Octapharma Plasma’s file sharing system.“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”Nic Adams, co-founder and CEO or 0rcus, explained that this group, under both its Royal and BlackSuit monikers, is estimated to have received more than $370 million in ransom payments since 2022. This made them one of the most financially successful ransomware groups, noted Adams.“The group's attacks consistently targeted critical infrastructure sectors in the United States, including healthcare, education, public safety, and government,” said Adams. “The Octapharma Plasma attack, for instance, shut down over 160 plasma donation centers, directly impacting a crucial part of the healthcare system. The GDK Global attack crippled thousands of car dealerships, causing widespread economic disruption.”Craig Jones, chief security officer at Ontinue, added while this takedown is a win for defeners, it’s not a knockout. Jones said without arrests, the operators behind BlackSuit still have the skills, infrastructure know-how, and hundreds of millions in funding to restart operations under a new name.“We’ve seen this cycle play out with other ransomware crews, and disruption without accountability usually only buys time,” said Jones. “The coordinated international effort is encouraging, but lasting impact will require hitting the human element, not just the servers.”Trey Ford, chief strategy and trust officer at Bugcrowd, said BlackSuit has also targeted the manufacturing, technology, and retail sectors which may have considerably higher fidelity logging telemetry informing stronger fingerprinting, supporting law enforcement investigations.“Seeing the organization and infrastructure dismantled is encouraging,” said Ford. “As defenders, we strive to make criminal activity increasingly expensive, time consuming, and dangerous for threat actors – and even if the humans behind these organizations have not yet been located – these HSI victories do raise the cost and risk for these individuals.”
Ransomware, Governance, Risk and Compliance, Government Regulations, Malware
ICE takes down BlackSuit ransomware operation
(Adobe Stock)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds