blacksuit-ransomware-seized

After $500 Million in Ransom Demands, Law Enforcement Seizes BlackSuit Site

Share this Share on email Share on twitter Share on linkedin Share on facebook

With the help of Bitdefender and more than a dozen law enforcement agencies, the U.S. Department of Homeland Security Investigations seized the extortion site belonging to the BlackSuit ransomware group. The group, including previous versions of its operations, has claimed hundreds of victims worldwide with ransom demands totaling more than $500 million in the last few years. 

Law enforcement dubbed the takedown Operation Checkmate.

The group's page now features a takedown notice including which agencies and organizations participated in the operation.

Our dedicated Draco Team provided expert assistance to law enforcement agencies, having researched this ransomware since BlackSuit's formation in May 2023. This effort is part of our ongoing commitment to combating cybercrime in collaboration with global partners. Bitdefender has publicly shared dozens of free ransomware decryptors, saving organizations worldwide an estimated $1.6 billion in ransom payments.

BlackSuit Ransomware: A Private Group that Cycles Through Rebrands

BlackSuit ransomware emerged in the summer of 2023 and has claimed more than 185 victims since that time. A rebrand of the ransomware group Royal, BlackSuit is known for using double extortion tactics and collecting high ransoms, with some individual payments exceeding $2 million. Cyber defense and intelligence teams have scrutinized the group closely in the past year, seeking glimpses into its origins, operations, and capabilities.

Conti’s Downfall and The Royal Family

BlackSuit's rebrand of the Royal ransomware group was originally identified in late 2022 as an offshoot of Zeon. Royal was active from January to July 2023, claiming 123 victims until their activities sharply declined, with no further reported victims under that name. Interestingly, BlackSuit’s own operations were initially recognized in May 2023, a couple of months before Royal’s operations went quiet.

In the fall of 2022, reports began linking the personnel behind BlackSuit (then operating as Royal) to Conti, a prominent group that disbanded after a tumultuous year of leaks and internal strife. These connections highlighted Conti Team One, a specialized unit. The association between Conti and BlackSuit (via Royal) also led to speculation about BlackSuit’s base of operations, suggesting a region like Russia or Ukraine.

During this time Royal, and by extension BlackSuit, have made few public statements. They’ve taken the lessons learned from the Conti leak and operate in a more discrete manner to reduce the odds of future leaks. BlackSuit did not operate as a Ransomware-as-a-Service group with a dedicated affiliate program or any infrastructure intended to share tools and resources. It has remained a private ransomware group, developing ransomware strains that target both Windows and Linux systems as well as VMware ESXi servers.

BlackSuit Victimology

BlackSuit’s top targets were organizations in the manufacturing, education, research, healthcare, and construction industries. The manufacturing and healthcare industries continue to be lucrative targets as these sectors may have a wider range of projected profits and revenue compared to other industries, such as government and consulting. The BlackSuit theme of attacking organizations with higher profits and projected revenue may also hold true when identifying potential victims in the retail industry.

The majority of BlackSuit’s victims were organizations based in the United States, with other organizations in countries such as Great Britain, Canada, Belgium, and Spain representing significantly smaller victim populations.

In the past year, BlackSuit has claimed 103 victims. After November 2024, there was a sharp decrease in the number of attacks claimed each month. This decrease in activity may have been a strategic move on the group's part to stay under the radar. The decrease in attacks may also represent a period just before another hiatus, when the group would evolve and rebrand under a different name.

The BlackSuit Data Leak Site

BlackSuit’s data leak site (DLS) had a simple layout and accomplished what was needed for extortion purposes. Posts detailed the organizations that had been compromised, along with updates and links to the stolen data. Prior to its seizure, there were more than 150 blog entries on BlackSuit’s data leak site.

Additional details such as LinkedIn pages for company contacts and directory listings for the stolen data are featured in some blog posts. A screenshot of the BlackSuit data leak site is pictured below. The name and description of the victim organization are obscured to protect the affected organization.

Figure 1: BlackSuit DLS

BlackSuit’s DLS featured a Contact page for victims to request support from BlackSuit in recovering their systems and data. Victims requesting support had to provide a unique victim ID or a negotiation link, which is included alongside instructions on how to reach BlackSuit, in a ransom note. The victim would also provide their email address in the request.

Figure 2: BlackSuit DLS Contact Page

The BlackSuit DLS did not have a community forum or feature social media pages like Telegram and X as some groups do. This echoes the sentiment that operating discreetly was the best to minimize OPSEC (operational security) risks such as leaked communications, code, infrastructure and staff lists.  

In spite of the simplistic nature of BlackSuit’s data leak site, the delivery and receipt of high ransom demands distinguished them as a threat actor that carried out operations with the backing of experienced in-house teams. This experience also helped BlackSuit assess the revenue of organizations as part of a structured, selective process to target victims. The group was able to generate far greater wealth in short timespan compared to many other ransomware groups. 

Last year, reports from the FBI and CISA indicated that BlackSuit’s total ransom amount exceeded $500 million. This amount exceeds estimates for other groups like the former major player in RaaS, RansomHub, and the Akira ransomware group, which continues to operate and issue demands ranging from a couple of hundred thousand to several million dollars. Victims infected by BlackSuit ransomware are encouraged to contact BlackSuit staff via a Tor link embedded in the ransomware note. Then, a conversation starts. BlackSuite discusses next steps and begins to exert pressure.

There are numerous losses that cut deeply into the hearts and wallets of any business that falls victim to cybercriminals. Criminals will find a way to secure payment and have no need for moral obligations or other contracts. BlackSuit is no exception. In late 2024, the group leaked the data of a known victim after receiving a ransom payment of nearly $3 million.

Tactics, Techniques, and Procedures

Initial Access

BlackSuit gained initial access to target systems by using phishing tactics. They sent emails that contain malicious PDFs and have used malvertising in their campaigns. The group has also leveraged RDP and weaknesses in public-facing applications to gain access to target systems. Earlier this year, another method to gain access was documented. Campaigns resulting in the execution of BlackSuit ransomware were observed that involved the use of fake Zoom installers to load malware, including a remote access trojan. Once BlackSuit successfully gains access, reconnaissance and network enumeration tasks are performed using SharpShares and SoftPerfect NetWorx.  

Persistence

BlackSuit has used remote monitoring and management tools (RMMs), that are often present in business and enterprise environments, to establish persistence. Malicious tools like SystemBC are also introduced to aid the threat actor in maintaining access, performing tasks like altering registry values and adding scheduled tasks.

Privilege Escalation

BlackSuit escalates privileges by gaining access to admin accounts, modifying existing accounts, and creating new ones. The threat actor has loaded .bat files containing scripts to execute privilege escalation and lateral movement actions.

Lateral Movement

Historically, BlackSuit used a few different methods to perform lateral movement. Several cases highlight their use of valid admin accounts to access a domain controller using SMB. The group has also used PsExec to run commands and transfer malicious files. BlackSuit can also perform lateral movement after harvesting credentials stored in LSASS.

Data Exfiltration

BlackSuit also incorporated tools like Cobalt Strike and Gozi into their operations involving data exfiltration. Recently, it used RClone and Brute Ratel to complete the same objective.

Execution

Once executed, the BlackSuit ransomware checks the listing of files to encrypt to determine if those items are in use or blocked. It also runs vssadmin.exe to remove volume shadow copies. Next, the encryption process occurs, and the .blacksuit extension is appended to affected files. The note readme.BlackSuit.txt is left on the infected systems. BlackSuit ransomware is equipped with a partial encryption functionality to expedite the time needed to encrypt large files and evade detection.

BlackSuit Ransomware Note

The following excerpt captures the contents of a BlackSuit ransomware note:

Good whatever time of day it is!

Your safety service did a really poor job of protecting your files against our professionals.

Extortioner named BlackSuit has attacked your system.

As a result all your essential files were encrypted and saved at a secure serverfor further useand publishing on the Web into the public realm.

Now we have all your files like: financial reports, intellectual property, accounting, law actionsand complaints, personal filesand so onand so forth.

We are able to solve this problem in one touch.

We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to makea deal with us.

You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation.

You can have a safety review of your systems.

All your files will be decrypted, your data will be reset, your systems will stay in safe.

Recommendations: Staying Current With Ransomware

The ransomware ecosystem is constantly changing, with threat actors continuously refining their tactics. To mount an effective defense, it's essential for organizations to keep up with the current state of ransomware in 2025, rather than getting overwhelmed by the sum of all information gathered over the last decade. Focusing on methods and strategies that are valid today is key.

Bitdefender offers resources to help you stay informed:
  • Ransomware Whitepaper: Our comprehensive whitepaper provides a current overview of ransomware trends and offers actionable protective measures for 2025.
  • "State of Ransomware" Masterclasses: Participate in our quarterly "State of Ransomware" masterclasses, part of the vendor-agnostic "Cybersecurity Foundations" series, to gain insights directly from industry experts on the developments relevant for 2025.
  • Monthly Ransomware Overview and News: Stay updated with our monthly threat debriefs for the latest news and insights on ransomware.