4 days ago
ICE collaborates with Canada, other nations to dismantle notorious ransomware group's ‘critical infrastructure'
The U.S. Justice Department (DOJ) announced Monday that 'critical infrastructure' used by the BlackSuit (Royal) ransomware group has been successfully dismantled.
A successor to the Royal ransomware group, BlackSuit is responsible for targeting more than 450 Americans in healthcare, education, public safety, energy and government sectors, and is linked to several worldwide attacks since 2022.
The co-ordinated takedown, dubbed 'Operation Checkmate,' specifically targeted the Royal and BlackSuit ransomware groups, and was executed by U.S. Immigration and Customs Enforcement's (ICE) under the Department of Homeland Security (DHS), along with the help of international law enforcement agencies from Canada, the U.K., Germany, Ireland, France, Ukraine, and Lithuania, ICE said in a news release.
The operation led to the seizure of four servers, nine domains and approximately US$1 million in laundered proceeds on July 24, in addition to virtual currency estimating around $1,091,453, which was seized around June 21, 2024, according to the DOJ.
The BlackSuit ransomware group and the Royal ransomware group have extorted a combined over $370 million in ransom payments, based on the current value of cryptocurrency, ICE said.
'Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,' Michael Prado, deputy assistant director for Homeland Security Investigation's (HSI) Cyber Crimes Center (C3) said.
The groups used 'double-extortion tactics' by first encrypting the victims' operating systems, while threatening to leak stolen personal data to coerce them into paying.
'This operation strikes a critical blow to BlackSuit's infrastructure and operations,' William Mancino, special agent in charge of the U.S. Secret Service's Criminal Investigative Division, stated in the news release.
Royal victims are typically required to pay ransoms in cryptocurrency by accessing a darknet website, the news release said.
According to the DOJ, one of the victims paid a ransom of 49.3120227 bitcoin on around April 4, 2023 – worth $1,445,454.86 at the time of the transaction, to decrypt their data. A part of that ransom was repeatedly deposited and withdrawn through a virtual currency account, which led to the funds being frozen around Jan. 9, 2024.
The U.S. Attorney's Office for the Eastern District of Virginia continues to collaborate with international law agencies while they prosecute the case.
Earlier in 2024, law agencies from around the world including the Federal Bureau of Investigation (FBI), Europol and the U.K.'s National Crime Agency worked together to dismantle a dark website connected to the Lockbit ransomware group which had extorted over $120 million in ransom from over 2,000 victims, globally. Dubbed 'Operation Cronos,' the joint venture was part of an international drive to disrupt major cybercrime operations around the world.
