BlackSuit Ransomware Group Transitioning to ‘Chaos’ Amid Leak Site Seizure – Source: www.securityweek.com

The BlackSuit ransomware group’s Tor-based leak site has been seized by law enforcement as part of an international operation.

Active since 2023 and operating as a private group, BlackSuit was a rebrand of the Royal ransomware, as cybersecurity firms and US government agencies announced last year.

Now displaying a splash screen informing visitors that it has been seized by law enforcement as part of Operation Checkmate, BlackSuit’s extortion site had roughly 200 victims listed as of July 2025. Royal had hit over 350 organizations by November 2023.

The BlackSuit ransomware gang targeted organizations across numerous industries, including education, government, healthcare, IT, manufacturing, and retail, stealing their data before encryption, to leverage it for extortion.

BlackSuit was seen targeting both Windows and Linux systems, manipulating VMware ESXi servers, encrypting files across reachable drives at a fast pace, attempting to prevent file recovery, and deploying ransom notes that instructed victims to contact the group via its Tor-based site.

Focusing on large enterprises and small to medium-sized businesses (SMBs), the group had demanded over $500 million in total ransom payments by August 2024, CISA and the FBI said. Individual ransom demands ranged between $1 million and $60 million.

Just as BlackSuit’s leak site was seized, Cisco Talos published an analysis of Chaos ransomware, which first appeared in early 2025, noting that it is likely the new face of BlackSuit.

“Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members,” the security firm notes.

According to Talos, Chaos’ encryption commands are like BlackSuit’s, and the theme and structure of the ransom notes are similar, the same as the use of living-off-the-land binaries and remote management tools in attacks.

During attacks, Talos explains, Chaos operators use specific configuration parameters for the encryption process so that the ransomware would selectively encrypt local and network resources, and both Royal and BlackSuit relied on this technique.

Law enforcement agencies in Germany, Lithuania, the Netherlands, the US, the UK, and Ukraine, along with Europol and private cybersecurity firms participated in Operation Checkmate.

Related: UK’s Ransomware Payment Ban: Bold Strategy or Dangerous Gamble?

Related: Organizations Warned of Interlock Ransomware Attacks

Related: Armenian Man Extradited to US Over Ryuk Ransomware Attacks

Related: Anubis Ransomware Packs a Wiper to Permanently Delete Files