The Justice Department has announced coordinated actions targeting the BlackSuit (Royal) Ransomware group, including the takedown of four servers and nine domains on July 24. The operation involved several U.S. agencies—Homeland Security Investigations (HSI), the U.S. Secret Service, IRS Criminal Investigation (IRS-CI), and the FBI—as well as law enforcement partners from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
Authorities also unsealed a warrant for the seizure of virtual currency valued at $1,091,453 at the time of confiscation. The announcement was made jointly by the U.S. Attorney’s Office for the Eastern District of Virginia and the U.S. Attorney for the District of Columbia.
“Too often we see the damage ransomware causes to systems that then allows cybercriminals to wreak havoc on corporations and others,” said U.S. Attorney Jeanine Ferris Pirro for the District of Columbia. “Whether these criminals target law enforcement, other government agencies, or private companies, my office and our law enforcement partners stand ready to go toe-to-toe with criminals and make victims whole.”
“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John A. Eisenberg. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”
“Today’s action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat,” said U.S. Attorney Erik S. Siebert for the Eastern District of Virginia. “When it comes to protecting U.S. businesses, critical infrastructure, and other victims from ransomware and other cyberthreat actors, we will pull no punches.”
“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Deputy Assistant Director Michael Prado for HSI’s Cyber Crimes Center (C3). “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
“This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” said Special Agent in Charge William Mancino of the U.S. Secret Service’s Criminal Investigative Division. “The U.S. Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”
“Today's announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency,” said Executive Special Agent in Charge Kareem Carter of the IRS-CI Washington Field Office. “Criminal software like the BlackSuit Ransomware group is deployed to steal, extort victims, and launder proceeds of these activities. IRS Criminal Investigation Washington, D.C., Cyber Crimes Unit will continue to work hand in hand with our law enforcement partners to leverage all available tools to identify, apprehend, and hold accountable these bad actors and put an end to their illicit activity.”
According to details released by HSI in a joint statement today, authorities seized servers, domains, and digital assets used by BlackSuit operators as part of their efforts against ransomware deployment and money laundering activities tied back through evidence collected by both prosecuting offices.
BlackSuit (Royal) ransomware has previously targeted various sectors considered vital—including manufacturing facilities; government entities; healthcare providers; public health organizations; as well as commercial operations—according to advisories issued by CISA. These advisories have described tactics used by such groups along with indicators organizations can use for protection.
Victims were generally required by Royal attackers to pay ransoms using Bitcoin via darknet websites: one such payment occurred on April 4th last year when a victim paid 49 bitcoins—worth over $1 million at that time—to regain access after an attack; most funds were moved through exchange accounts until they were frozen earlier this year.
Multiple federal investigative agencies collaborated on this case alongside counterparts from Europe—including national police forces in each country named above.
Assistant U.S. Attorneys Rick Blaylock Jr., Laura D. Withers, and Trial Attorney Jacques Singer-Emery represent government interests in ongoing proceedings related both domestically within D.C., Virginia courts as well as nationally under security-focused divisions.
