Government entities: BlackSuit Ransomware Takes an Infrastructure Hit From Law Enforcement

BlackSuit Ransomware Infrastructure Disrupted in Coordinated Global Takedown

On July 24, 2026, a multinational law enforcement operation led by the U.S. Department of Homeland Security’s Homeland Security Investigations (HSI) dismantled key infrastructure tied to the BlackSuit (Royal) ransomware group, a persistent threat targeting critical U.S. sectors since 2022. The effort, which included the FBI, U.S. Secret Service, IRS Criminal Investigation (IRS-CI), and international partners from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania, resulted in the seizure of four servers, nine domains, and over $1 million in cryptocurrency.

BlackSuit, known for its high-impact attacks, has compromised more than 450 U.S. victims, including schools, hospitals, energy providers, and government entities. The group’s operations have drawn scrutiny for their direct threat to public safety and critical infrastructure.

While officials hailed the takedown as a significant step in disrupting ransomware operations, cybersecurity experts cautioned that the impact may be temporary. Craig Jones, Chief Security Officer at Ontinue, noted that without arrests, the group’s operators retain the skills, funding, and infrastructure to reemerge under a new identity a pattern observed with other ransomware crews.

The operation reflects a proactive, disruption-first approach by U.S. agencies, with officials emphasizing that accountability for cybercriminals remains a priority. Deputy Assistant Director Michael Prado of HSI’s Cyber Crimes Center (C3) underscored the need to dismantle the entire ecosystem enabling ransomware, while U.S. Attorney Erik S. Siebert reaffirmed law enforcement’s commitment to aggressive action against such threats.

Though the takedown neutralized only a portion of BlackSuit’s infrastructure, it marks a broader effort to curb ransomware’s global reach. Authorities continue to pursue further measures to hold operators accountable and prevent future resurgences.

Source: https://www.darkreading.com/vulnerabilities-threats/blacksuit-ransomware-infrastructure-law-enforcement

Government entities TPRM report: https://www.rankiteo.com/company/us-department-of-homeland-security

"id": "us-1771976815",
"linkid": "us-department-of-homeland-security",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"

{'affected_entities': [{'industry': 'Education',
                        'location': 'U.S.',
                        'type': 'Schools'},
                       {'industry': 'Healthcare',
                        'location': 'U.S.',
                        'type': 'Hospitals'},
                       {'industry': 'Energy',
                        'location': 'U.S.',
                        'type': 'Energy providers'},
                       {'industry': 'Government',
                        'location': 'U.S.',
                        'type': 'Government entities'}],
 'data_breach': {'data_encryption': 'Yes'},
 'date_publicly_disclosed': '2026-07-24',
 'description': 'On July 24, 2026, a multinational law enforcement operation '
                'led by the U.S. Department of Homeland Security’s Homeland '
                'Security Investigations (HSI) dismantled key infrastructure '
                'tied to the BlackSuit (Royal) ransomware group, a persistent '
                'threat targeting critical U.S. sectors since 2022. The effort '
                'resulted in the seizure of four servers, nine domains, and '
                'over $1 million in cryptocurrency. BlackSuit has compromised '
                'more than 450 U.S. victims, including schools, hospitals, '
                'energy providers, and government entities.',
 'impact': {'financial_loss': '$1 million in cryptocurrency seized',
            'operational_impact': 'Disruption to critical U.S. sectors '
                                  'including schools, hospitals, energy '
                                  'providers, and government entities'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Disruption of ransomware infrastructure may be temporary '
                    'without arrests; operators may reemerge under a new '
                    'identity.',
 'motivation': 'Financial gain',
 'ransomware': {'data_encryption': 'Yes',
                'ransomware_strain': 'BlackSuit (Royal)'},
 'recommendations': 'Dismantle the entire ecosystem enabling ransomware; '
                    'pursue further measures to hold operators accountable and '
                    'prevent future resurgences.',
 'references': [{'source': 'U.S. Department of Homeland Security’s Homeland '
                           'Security Investigations (HSI)'},
                {'source': 'Craig Jones, Chief Security Officer at Ontinue'},
                {'source': 'Deputy Assistant Director Michael Prado of HSI’s '
                           'Cyber Crimes Center (C3)'},
                {'source': 'U.S. Attorney Erik S. Siebert'}],
 'response': {'containment_measures': 'Seizure of four servers, nine domains, '
                                      'and over $1 million in cryptocurrency',
              'law_enforcement_notified': 'Yes'},
 'stakeholder_advisories': 'Law enforcement emphasizes the need to dismantle '
                           'the entire ecosystem enabling ransomware and '
                           'pursue further measures to hold operators '
                           'accountable.',
 'threat_actor': 'BlackSuit (Royal) ransomware group',
 'title': 'BlackSuit Ransomware Infrastructure Disrupted in Coordinated Global '
          'Takedown',
 'type': 'Ransomware'}