ICE’s Homeland Security Investigations (HSI), in collaboration with U.S. and international law enforcement agencies, has dismantled infrastructure used by the BlackSuit ransomware group. The operation targeted servers, domains, and digital assets involved in deploying ransomware attacks, extorting victims, and laundering illicit proceeds.
“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
Authorities report that since 2022, Royal and BlackSuit ransomware groups have attacked more than 450 known targets in the United States across sectors such as healthcare, education, public safety, energy, and government. These groups are believed to have collected over $370 million in ransom payments through tactics that include encrypting systems and threatening to leak stolen data.
“This investigation reflects the full reach of HSI's cyber mission and our commitment to protecting victims — whether they’re small businesses, school systems, or hospitals,” said HSI Washington, D.C. acting Special Agent in Charge Christopher Heck. “We will continue to target the infrastructure, finances and operators behind these ransomware groups to ensure they have nowhere left to hide.”
Assistant Attorney General for National Security John A. Eisenberg noted: “The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety. The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”
U.S. Attorney for the Eastern District of Virginia Erik S. Siebert added: “Today’s action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat. When it comes to protecting U.S. businesses, critical infrastructure and other victims from ransomware and other cyberthreat actors, we will pull no punches.”
U.S. Attorney for the District of Columbia Jeanine Ferris Pirro commented: “Too often we see the damage ransomware causes to systems that then allows cybercriminals to wreak havoc on corporations and others. Whether these criminals target law enforcement, other government agencies or private companies, my office and our law enforcement partners stand ready to go toe-to-toe with criminals and make victims whole.”
U.S. Secret Service Criminal Investigative Division Special Agent in Charge William Mancino stated: “This operation strikes a critical blow to BlackSuit’s infrastructure and operations. The U.S. Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”
Executive Special Agent in Charge Kareem Carter of IRS-CI Washington field office said: “Today's announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency... IRS Criminal Investigation Washington, D.C. Cyber Crimes Unit will continue ...to identify, apprehend and hold accountable these bad actors...”
The prosecution is being led by the U.S. Attorney’s Office for the Eastern District of Virginia with continued cooperation among multiple national offices including Justice Department units focused on national security cybercrime as well as regional offices abroad such as HSI branches in Europe.
International partners played a significant role through coordinated efforts involving Europol’s Joint Cyber Action Task Force under Operation Checkmate—a campaign specifically aimed at disrupting Royal and BlackSuit operations—with participation from agencies such as UK’s National Crime Agency; Germany's Landeskriminalamt Niedersachsen; Ireland's Garda National Cyber Crime Bureau; Ukraine's National Police-Cyberpolice Department; Lithuania's Criminal Police Bureau; France's Office Anti-Cybercriminalité; Canada's Royal Canadian Mounted Police; Delta Police Department; along with FBI involvement.
The joint effort highlights growing global cooperation against major cybercrime threats like ransomware.
