Authorities Dismantle BlackSuit Ransomware Gang’s Infrastructure

A coordinated international law enforcement effort has successfully dismantled the infrastructure of the notorious BlackSuit ransomware gang, according to German prosecutors. The operation, conducted on July 24, involved both U.S. and European authorities and resulted in the seizure of the gang’s servers and systems.

German officials announced that the takedown yielded a significant amount of data, which is expected to aid in identifying those behind the cyberattacks. As part of the operation, law enforcement shut down BlackSuit’s servers, effectively disabling the malware and halting the gang’s operations.

BlackSuit, previously known as Royal, has been linked to at least 184 ransomware victims globally, including multiple organizations in Germany. The group has carried out major cyberattacks in recent years, targeting U.S. cities like Dallas and sectors such as healthcare, manufacturing, and communications.

The gang’s dark web leak site, previously used to publish stolen data and pressure victims into paying ransoms, now displays a seizure notice confirming that it was taken down as part of a joint law enforcement action. The operation involved Germany’s federal authorities, ICE’s Homeland Security Investigations unit, and Europol. While ICE has not commented, reports suggest U.S. authorities disclosed the takedown earlier this week.

It remains unclear whether any arrests were made during the operation. However, officials confirmed that the seized data could be instrumental in pursuing further actions against the cybercriminals.

Cybersecurity experts note that ransomware groups like BlackSuit frequently rebrand or form new entities to evade sanctions and continue their operations. In 2024, the U.S. cybersecurity agency CISA had warned of BlackSuit emerging from Royal. More recently, a new group called Chaos is believed to consist of former BlackSuit members, highlighting the ongoing cat-and-mouse game between cybercriminals and authorities.