ICE Washington, D.C. leads international takedown of BlackSuit ransomware infrastructure

WASHINGTON — ICE’s Homeland Security Investigations, in close coordination with U.S. and international law enforcement partners, has successfully dismantled critical infrastructure used by BlackSuit ransomware, a major cybercriminal operation and successor to Royal ransomware, responsible for attacks on essential services around the world. The operation resulted in the seizures of servers, domains and digital assets used to deploy ransomware, extort victims, and launder proceeds.

“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”

Since 2022, the Royal and BlackSuit ransomware groups have compromised over 450 known victims in the United States, including entities in the healthcare, education, public safety, energy and government sectors. Combined, the groups have received more than $370 million in ransom payments, based on present-day valuations of cryptocurrency. The ransomware schemes used double-extortion tactics — encrypting victims’ systems while threatening to leak stolen data to further coerce payment.

“This investigation reflects the full reach of HSI's cyber mission and our commitment to protecting victims — whether they’re small businesses, school systems, or hospitals,” said HSI Washington, D.C. acting Special Agent in Charge Christopher Heck. “We will continue to target the infrastructure, finances and operators behind these ransomware groups to ensure they have nowhere left to hide.”

“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John A. Eisenberg. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”

“Today’s action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat,” said U.S. Attorney for the Eastern District of Virginia Erik S. Siebert. “When it comes to protecting U.S. businesses, critical infrastructure and other victims from ransomware and other cyberthreat actors, we will pull no punches.”

“Too often we see the damage ransomware causes to systems that then allows cybercriminals to wreak havoc on corporations and others,” said U.S. Attorney for the District of Columbia Jeanine Ferris Pirro. “Whether these criminals target law enforcement, other government agencies or private companies, my office and our law enforcement partners stand ready to go toe-to-toe with criminals and make victims whole.”

“This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” said U.S. Secret Service Criminal Investigative Division Special Agent in Charge William Mancino. “The U.S. Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”

“Today's announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency,” said Executive Special Agent in Charge Kareem Carter of the IRS-CI Washington field office. “Criminal software like the BlackSuit Ransomware group is deployed to steal, extort victims and launder proceeds of these activities. IRS Criminal Investigation Washington, D.C. Cyber Crimes Unit will continue to work hand-in-hand with our law enforcement partners to leverage all available tools to identify, apprehend and hold accountable these bad actors and put an end to their illicit activity.”

The case is being prosecuted by the U.S. Attorney’s Office for the Eastern District of Virginia, which continues to collaborate with international partners to pursue legal accountability for those involved in the Royal and BlackSuit campaigns. The Department of Justice National Security Division’s National Security Cyber Section, the U.S. Attorney's Office for the District of Columbia, the Justice Department’s Office of International Affairs, HSI The Hague, HSI Frankfurt, HSI London, HSI Bucharest and HSI San Diego also provided valuable assistance to this investigation.

The investigation is supported by HSI’s Cyber Crimes Center, IRS Criminal Investigation’s Cyber Crimes Unit, the FBI, Europol and international law enforcement partners from the United Kingdom's National Crime Agency and Northwest Regional Organized Crime Unit, Germany's Landeskriminalamt Niedersachsen, Ireland's An Garda Síochána-Garda National Cyber Crime Bureau, Ukraine's National Police of Ukraine-Cyberpolice Department, Lithuania's Criminal Police Bureau, France's Office Anti-Cybercriminalité and Canada's Royal Canadian Mounted Police and Delta Police Department. The coordinated takedown was conducted under Operation Checkmate, a Europol Joint Cyber Action Task Force-coordinated initiative specifically targeting the Royal and BlackSuit ransomware groups.