The Justice Department has announced coordinated actions against the BlackSuit (Royal) Ransomware group, including the takedown of four servers and nine domains on July 24. The operation involved multiple U.S. agencies such as Homeland Security Investigations (HSI), the U.S. Secret Service, IRS Criminal Investigation (IRS-CI), and the FBI, as well as law enforcement partners from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania. Authorities also unsealed a warrant for the seizure of virtual currency valued at $1,091,453.
"This action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat," said Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia. "When it comes to protecting U.S. businesses, critical infrastructure, and other victims from ransomware and other cyberthreat actors, we will pull no punches."
Assistant Attorney General for National Security John A. Eisenberg commented on the persistent targeting by BlackSuit: “The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” he said. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”
U.S. Attorney Jeanine Ferris Pirro for the District of Columbia added: “Too often we see the damage ransomware causes to systems that then allows cybercriminals to wreak havoc on corporations and others,” she said. “Whether these criminals target law enforcement, other government agencies, or private companies, my office and our law enforcement partners stand ready to go toe-to-toe with criminals and make victims whole.”
Michael Prado of HSI’s Cyber Crimes Center (C3) emphasized international cooperation: “Disrupting ransomware infrastructure is not only about taking down servers—it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” he said. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
Christopher Heck from HSI Washington D.C., stated: “This investigation reflects the full reach of HSI Washington, D.C.’s cyber mission and our commitment to defending victims—whether they’re small businesses, school systems, or hospitals,” he said. “We will continue to target the infrastructure, finances, and operators behind these ransomware groups to ensure they have nowhere left to hide.”
Special Agent in Charge William Mancino from the U.S. Secret Service noted: “This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” he said. “The U.S. Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”
Executive Special Agent in Charge Kareem Carter from IRS-CI highlighted financial aspects: “This announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency,” Carter said.
Authorities seized servers used by BlackSuit Ransomware group as well as digital assets used for deploying attacks and laundering proceeds through international cooperation among several countries’ law enforcement agencies.
A previous joint advisory by FBI and Cybersecurity & Infrastructure Security Agency (CISA) detailed how BlackSuit targeted various sectors such as manufacturing facilities; government entities; healthcare providers; public health organizations; commercial sites; described attack methods; provided guidance for defense measures (https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a).
Ransom payments were typically demanded in Bitcoin via darknet websites—for example on April 4th 2023 one victim paid nearly $1.45 million worth in Bitcoin for data decryption—with much of those funds later frozen by a virtual currency exchange.
Investigators include multiple federal agencies along with counterparts in Europe and North America.
Prosecution is led by Assistant U.S Attorneys Laura D Withers (Eastern District VA), Rick Blaylock Jr (District DC), Trial Attorney Jacques Singer-Emery (National Security Division).
A copy of this press release can be found on the website of the U.S Attorney’s Office for Eastern District Virginia.
