Washington, DC – Homeland Security Investigations (HSI) in Washington, working with U.S. and international law enforcement, has dismantled key infrastructure tied to BlackSuit ransomware — a successor to the Royal ransomware group — which has targeted hundreds of organizations worldwide.
The operation, part of Europol’s “Operation Checkmate,” seized servers, domains, and digital assets used to deploy ransomware, extort victims, and launder illicit proceeds. Authorities say the BlackSuit and Royal groups have hit over 450 known U.S. victims since 2022, collecting more than $370 million in cryptocurrency ransoms. Victims have included hospitals, schools, government agencies, and energy providers.
The ransomware campaigns used double-extortion tactics — locking victims out of systems while threatening to release stolen data unless paid. Investigators traced and disrupted the group’s financial networks as part of the takedown, with assistance from agencies in the United Kingdom, Germany, Ireland, Ukraine, Lithuania, France, and Canada, along with Europol.
The case is being prosecuted by the U.S. Attorney’s Office for the Eastern District of Virginia, with support from the Justice Department’s National Security Division and the U.S. Attorney’s Office for the District of Columbia.
––
Key Points
- HSI Washington and partners dismantled BlackSuit ransomware infrastructure in global operation
- Group linked to over $370 million in ransom payments from 450+ U.S. victims
- Takedown involved Europol and law enforcement agencies from eight countries
