ICE Washington, D.C. leads international takedown of BlackSuit ransomware infrastructure

WASHINGTON — ICE’s Homeland Security Investigations, in close coordination with U.S. and international law enforcement partners, has successfully dismantled critical infrastructure used by BlackSuit ransomware, a major cybercriminal operation and successor to Royal ransomware, responsible for attacks on essential services around the world. The operation resulted in the seizures of servers, domains and digital assets used to deploy ransomware, extort victims, and launder proceeds.

“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”

Since 2022, the Royal and BlackSuit ransomware groups have compromised over 450 known victims in the United States, including entities in the healthcare, education, public safety, energy and government sectors. Combined, the groups have received more than $370 million in ransom payments, based on present-day valuations of cryptocurrency. The ransomware schemes used double-extortion tactics — encrypting victims’ systems while threatening to leak stolen data to further coerce payment.

“This investigation reflects the full reach of HSI's cyber mission and our commitment to protecting victims — whether they’re small businesses, school systems, or hospitals,” said HSI Washington, D.C. acting Special Agent in Charge Christopher Heck. “We will continue to target the infrastructure, finances and operators behind these ransomware groups to ensure they have nowhere left to hide.”

The case is being prosecuted by the U.S. Attorney’s Office for the Eastern District of Virginia, which continues to collaborate with international partners to pursue legal accountability for those involved in the Royal and BlackSuit campaigns. The Department of Justice National Security Division’s National Security Cyber Section, the U.S. Attorney's Office for the District of Columbia, the Justice Department’s Office of International Affairs, HSI The Hague, HSI Frankfurt, HSI London, HSI Bucharest and HSI San Diego also provided valuable assistance to this investigation.

The investigation is supported by HSI’s Cyber Crimes Center, IRS Criminal Investigation’s Cyber Crimes Unit, the FBI, Europol and international law enforcement partners from the United Kingdom's National Crime Agency and Northwest Regional Organized Crime Unit, Germany's Landeskriminalamt Niedersachsen, Ireland's An Garda Síochána-Garda National Cyber Crime Bureau, Ukraine's National Police of Ukraine-Cyberpolice Department, Lithuania's Criminal Police Bureau, France's Office Anti-Cybercriminalité and Canada's Royal Canadian Mounted Police and Delta Police Department. The coordinated takedown was conducted under Operation Checkmate, a Europol Joint Cyber Action Task Force-coordinated initiative specifically targeting the Royal and BlackSuit ransomware groups.