An unnamed organization likely operating in a critical sector such as healthcare, education, government, energy, or public safety fell victim to a BlackSuit ransomware attack in early 2023. The attack compelled the victim to pay a 49.3 Bitcoin ransom (≈$1.445M at the time) on April 4, 2023, in exchange for a decryptor to restore encrypted systems. The U.S. Department of Justice later seized $1.09M of the ransom (tracked through obfuscated crypto transactions) in January 2024, linking it to BlackSuit’s operations. The group, also behind Royal, Quantum, and Chaos ransomware, has executed 450+ attacks in the U.S., extracting $370M+ in ransoms collectively. The victim’s data was likely fully compromised, given the ransomware’s modus operandi of exfiltrating sensitive information before encryption. The attack’s disruption extended beyond financial loss, potentially halting operations, exposing proprietary/customer data, or threatening public safety aligning with BlackSuit’s history of targeting high-impact sectors. Law enforcement’s seizure of dark web extortion portals (Operation Checkmate) and crypto assets underscores the attack’s severity and the group’s persistent threat to national infrastructure.
TPRM report: https://www.rankiteo.com/company/nyc-office-of-chief-medical-examiner
"id": "nyc947081425",
"linkid": "nyc-office-of-chief-medical-examiner",
"type": "Ransomware",
"date": "4/2023",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization's existence: - Attack in which the personal and financial information is compromised - Attack in which company data exposes - Attack which create outage - Attack by criminal hackers - Attack in which company is requested to pay a ransom or ransomware involved"{'affected_entities': [{'name': 'Unnamed Victim (April 2023 ransom payment)'},
{'industry': ['healthcare',
'education',
'government',
'energy',
'public safety'],
'location': 'United States',
'name': '450+ U.S. Organizations (BlackSuit/Royal '
'targets)',
'type': ['private companies',
'government agencies',
'educational institutions',
'healthcare providers',
'energy sector',
'public safety entities']}],
'attack_vector': ['ransomware deployment',
'cryptocurrency obfuscation via virtual exchanges'],
'data_breach': {'data_encryption': ['ransomware encryption (decryptor '
'provided after ransom payment)']},
'date_publicly_disclosed': '2024-07-28',
'description': 'The U.S. Department of Justice (DoJ) seized cryptocurrency '
'and digital assets worth $1,091,453 (at the time of '
'confiscation) from the BlackSuit ransomware gang on January '
'9, 2024. The funds were part of a ransom payment of 49.3 '
'Bitcoin (~$1,445,000 at the time) made by an unnamed victim '
'on April 4, 2023. The seizure followed evidence collection by '
"the U.S. Attorney's Office for the Eastern District of "
"Virginia (June 21, 2024) and was part of 'Operation "
"Checkmate,' an international law enforcement action that also "
"disrupted BlackSuit's dark web extortion portals. The "
'gang linked to Royal, Quantum, and Chaos ransomware has '
'conducted over 450 attacks in the U.S. (healthcare, '
'education, government, energy, and public safety sectors), '
'extorting over $370 million in ransom payments. Additionally, '
'the FBI seized 20 Bitcoins (~$2.4 million) from a Chaos '
'ransomware member on July 28, 2024.',
'impact': {'financial_loss': '$370,000,000+ (total ransom payments across '
'BlackSuit/Royal/Quantum/Chaos)',
'legal_liabilities': ['civil forfeiture complaint filed by DoJ for '
'seized 20 Bitcoins'],
'operational_impact': "disruption of BlackSuit's dark web "
'extortion portals; seizure of $1,091,453 '
'(January 2024) and $2,400,000 (July 2024) '
'in cryptocurrency'},
'initial_access_broker': {'high_value_targets': ['healthcare',
'education',
'government',
'energy',
'public safety sectors']},
'investigation_status': 'ongoing (civil forfeiture proceedings; international '
'law enforcement collaboration)',
'lessons_learned': 'Seizure of crime proceeds is critical to disrupting '
'ransomware operations, as operators often remain at large '
'and reuse funds to rebuild infrastructure. International '
"coordination (e.g., 'Operation Checkmate') enhances "
'effectiveness in targeting cybercriminal ecosystems.',
'motivation': 'financial gain',
'post_incident_analysis': {'corrective_actions': ['seizure of dark web '
'portals',
'cryptocurrency asset '
'freezing',
'international task forces '
"(e.g., 'Operation "
"Checkmate')",
'public awareness campaigns '
'on ransomware risks'],
'root_causes': ['ransomware-as-a-service (RaaS) '
'model enabling widespread attacks',
'use of cryptocurrency for '
'anonymized payments',
'lack of global law enforcement '
"coordination (prior to 'Operation "
"Checkmate')"]},
'ransomware': {'data_encryption': True,
'ransom_demanded': '49.3 Bitcoin (~$1,445,000 at the time of '
'payment in April 2023)',
'ransom_paid': '49.3 Bitcoin (~$1,445,000)',
'ransomware_strain': ['BlackSuit',
'Royal',
'Quantum',
'Chaos']},
'recommendations': ['Enhance cryptocurrency tracing capabilities to track '
'ransom payments.',
'Strengthen public-private partnerships with virtual '
'currency exchanges to freeze illicit funds.',
'Expand law enforcement operations to target ransomware '
'affiliates and infrastructure.',
'Encourage victims to report ransomware attacks to '
'facilitate asset recovery.'],
'references': [{'source': 'U.S. Department of Justice Press Release'},
{'source': 'Homeland Security Investigations (HSI) Statement'},
{'source': 'FBI Dallas Announcement (July 28, 2024)'}],
'regulatory_compliance': {'legal_actions': ['civil forfeiture complaint for '
'20 Bitcoins (~$2.4M) seized from '
'Chaos ransomware member']},
'response': {'communication_strategy': ['press releases by DoJ, HSI, and FBI '
'Dallas'],
'containment_measures': ['seizure of dark web extortion portals',
'freezing of cryptocurrency assets'],
'enhanced_monitoring': ['tracking cryptocurrency movements '
'across virtual exchanges'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['disruption of ransomware operations '
"via 'Operation Checkmate'"],
'third_party_assistance': ['cooperating cryptocurrency '
'exchanges']},
'threat_actor': ['BlackSuit ransomware gang',
'Royal ransomware group',
'Quantum ransomware group',
'Chaos ransomware group'],
'title': 'U.S. Department of Justice Seizes Cryptocurrency from BlackSuit '
"Ransomware Gang in 'Operation Checkmate'",
'type': ['ransomware', 'cryptocurrency seizure', 'law enforcement operation']}