BlackSuit ransomware crew loses servers, domains, and $1m in global shakedown – Source: go.theregister.com

In a display of bureaucratic bravado, US law enforcement agencies say they’ve “disrupted” the BlackSuit ransomware gang (also known as Royal), freeing millions of dollars in virtual currency from its clutches.

On July 24, the US Department of Homeland Security Investigations (HSI) – with help from the FBI, Secret Service, and the IRS — seized four servers and nine domains tied to the BlackSuit’s ransomware infrastructure and froze $1,091,453 in virtual currency, the kind of loot one might accrue after shaking down hospitals, schools, energy firms, and government bodies for ransom.

US Department of Justice unsealed the seizure warrant on August 11 and said that the bust had help from cyber-plods in the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.

The UK’s National Cyber Security Centre did not immediately respond to The Register’s questions.

The Monday announcement comes weeks after we reported on the seizure of BlackSuit’s dark web leak site, which currently displays a message stating that it was taken down as part of “Operation Checkmate.” It also comes after authorities in Germany boasted that they had been involved in the seizure of the gang’s servers and systems, snagging “considerable amounts of data” that it says will be used to help identify members of the BlackSuit crew.

Despite all the chest-thumping, not a single BlackSuit bod is in cuffs. Cops won’t say if they’ve even put names to the masks, let alone hauled anyone in – a reminder that chasing ransomware crews across borders, especially from countries that won’t extradite, is a game stacked in the crooks’ favour.

Russia-linked BlackSuit, also known as Royal, was targeted by US law enforcement for “persistent targeting of US critical infrastructure”, according to the DOJ. Since its debut, the group has racked up more than 450 known victims in the US, including schools, hospitals, organizations within the energy sector, and government entities, to the tune of roughly $370 million in ransom payments.

A notable BlackSuit victim is plasma collection organization Octapharma, which was forced to temporarily shutter almost 200 blood plasma collection centers after being targeted by the gang. The crew was also linked to a cyberattack on car software flogger CDK Global, which reportedly bowed to the hackers’ $25 million ransom demand.

• Oh, great.Three notorious cybercrime gangs appear to be collaborating
• Study finds humans not completely useless at malware detection
• As ransomware gangs threaten physical harm, ‘I am afraid of what’s next,’ ex-negotiator says
• FBI: Watch out for these signs Scattered Spider is spinning its web around your org

Although the US claims to have decimated BlackSuit’s infrastructure, security researchers believe that hackers from the gang are already operating under a new name: Chaos ransomware.

According to a Cisco Talos blog post published on the same day as the global shakedown, the new ransomware-as-a-service operation has been active since February, targeting organizations with similar “big-game hunting and double extortion attacks.”

The gang’s dark web leak site, seen by The Register, is already flaunting 20 victims, though the majority have not yet been named.

“The new group is likely former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks,” Cisco Talos researchers said.®