BlackSuit Ransomware Group Dismantled After Extorting $370M from 450+ U.S. Victims
A globally coordinated law enforcement operation has dismantled the infrastructure of BlackSuit, a Russian-linked ransomware group responsible for extorting over $370 million from more than 450 U.S. victims since 2022. The takedown, led by Homeland Security Investigations (HSI) and international partners, targeted the group’s servers, domains, and tools used for ransomware deployment, extortion, and money laundering.
BlackSuit, which evolved from the Conti ransomware collective after its 2022 breakup, primarily targeted healthcare, education, public safety, energy, and government sectors. German officials identified 184 BlackSuit victims, while U.S. agencies reported the group’s extortion demands exceeded $500 million by August 2024. The majority of its victims were based in the U.S., prompting warnings from officials about threats to critical infrastructure.
The group’s leak site was seized on July 24, though U.S. authorities delayed public confirmation for two weeks. While the takedown disrupted BlackSuit’s operations, cybersecurity researchers note its impact may be limited, as affiliates had already shifted to INC ransomware and abandoned the BlackSuit brand before the operation.
BlackSuit’s origins trace back to Conti’s dissolution, with former members rebranding under subgroups like Zeon, Black Basta, and Quantum before settling on Royal and later BlackSuit in 2024. Despite its high-profile attacks, the group’s activity had declined since December 2023 ahead of the takedown.
Source: https://cyberscoop.com/blacksuit-royal-ransomware-450-us-victims/
ransomware.live cybersecurity rating report: https://www.rankiteo.com/company/ransomwarelive
Conti LLC cybersecurity rating report: https://www.rankiteo.com/company/conti_corporation
Royal Media Partners cybersecurity rating report: https://www.rankiteo.com/company/royal-media-partners
"id": "RANCONROY1768390960",
"linkid": "ransomwarelive, conti_corporation, royal-media-partners",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Healthcare',
'location': 'United States',
'type': 'Healthcare'},
{'industry': 'Education',
'location': 'United States',
'type': 'Education'},
{'industry': 'Public Safety',
'location': 'United States',
'type': 'Public Safety'},
{'industry': 'Energy',
'location': 'United States',
'type': 'Energy'},
{'industry': 'Government',
'location': 'United States',
'type': 'Government'}],
'data_breach': {'data_encryption': 'Yes'},
'date_publicly_disclosed': '2024-08-08',
'date_resolved': '2024-07-24',
'description': 'The Russian cybercrime group behind BlackSuit and Royal '
'ransomware was prolific in extorting payments from victims '
'across multiple sectors. Their infrastructure was seized and '
'dismantled in a globally coordinated takedown operation.',
'impact': {'financial_loss': '$370 million in ransom payments'},
'investigation_status': 'Disrupted',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Dismantling of technical '
'infrastructure and '
'ecosystem',
'root_causes': 'Rebranding from Conti ransomware '
'group after internal leaks'},
'ransomware': {'data_encryption': 'Yes',
'ransom_demanded': 'Over $500 million (total extortion demands '
'by August 2024)',
'ransom_paid': '$370 million',
'ransomware_strain': ['BlackSuit', 'Royal']},
'references': [{'date_accessed': '2024-08-08',
'source': 'Homeland Security Investigations (HSI)'},
{'date_accessed': '2024-08-08',
'source': 'Cybersecurity and Infrastructure Security Agency '
'(CISA)'},
{'date_accessed': '2024-08-08', 'source': 'CyberScoop'}],
'response': {'containment_measures': 'Seizure and dismantling of technical '
'infrastructure (servers, domains, '
'tools)',
'law_enforcement_notified': 'Yes'},
'threat_actor': 'BlackSuit (formerly Royal, Quantum, Conti)',
'title': 'BlackSuit and Royal Ransomware Operations Disrupted',
'type': 'Ransomware'}