Hundreds of significant businesses targeted by BlackSuit and Royal ransomware groups, according to the US government, prior to their dismantling.
The BlackSuit ransomware group, a successor to the notorious Royal gang, has suffered a significant setback following a coordinated international law enforcement operation in late July 2025.
This operation, dubbed "Operation Checkmate", led by U.S. agencies such as the Department of Justice (DoJ), ICE Homeland Security Investigations (HSI), the FBI, the U.S. Secret Service, IRS Criminal Investigation, along with international partners from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania, targeted and dismantled BlackSuit's infrastructure.
The takedown resulted in the seizure of four servers, nine domains, and over $1 million in cryptocurrency assets linked to BlackSuit’s ransomware activities. A warrant was unsealed for the seizure of approximately 43 bitcoins (valued at around $1.1 million at the time of seizure), originating from ransom payments made by victims in 2023.
BlackSuit, first spotted in May 2023 according to a US Department of Health and Human Services report, targeted critical sectors such as healthcare, education, public safety, energy, and government. The group used double-extortion tactics, encrypting victims' systems and threatening to leak their stolen data to force payment.
Though this operation has dismantled significant parts of BlackSuit’s infrastructure, officials note that it likely has not completely stopped ransomware attacks by the group or related successor entities. The disruption-first approach is intended to hamper the ransomware ecosystem supporting BlackSuit, making it harder for the criminals to operate with impunity.
William Mancino, Special Agent in Charge of the US Secret Service Criminal Investigative Division, stated that "Operation Checkmate" struck a critical blow to BlackSuit's infrastructure and operations. However, no arrests were made in connection with the dismantling of BlackSuit.
The U.S. Secret Service, along with its law enforcement partners, is committed to working tirelessly to dismantle criminal enterprises and prevent the deployment of malicious ransomware. Despite the disruption, the threat actors behind BlackSuit are expected to return sooner rather than later, posing ongoing challenges in the rapidly evolving cyber threat landscape.
Sources:
[1] Department of Justice (2025). "Press Release: BlackSuit Ransomware Group Disrupted in International Law Enforcement Operation". [Link]
[2] Federal Bureau of Investigation (2025). "Press Release: BlackSuit Ransomware Group Disrupted in International Law Enforcement Operation". [Link]
[3] Homeland Security Investigations (2025). "Press Release: BlackSuit Ransomware Group Disrupted in International Law Enforcement Operation". [Link]
[4] Secret Service (2025). "Press Release: BlackSuit Ransomware Group Disrupted in International Law Enforcement Operation". [Link]
- The international law enforcement operation, Operation Checkmate, successfully disrupted the BlackSuit ransomware group's cybersecurity activities, demonstrating the importance of technology in combating such threats.
- The BlackSuit ransomware group, despite suffering significant setbacks following Operation Checkmate, is anticipated to return due to the rapidly evolving cyber threat landscape, underlining the need for continual advancements in technology and cybersecurity.
