The Justice Department has announced a coordinated effort against the BlackSuit (Royal) Ransomware group, resulting in the takedown of four servers and nine domains on July 24. The operation involved several U.S. agencies, including Homeland Security Investigations (HSI), the U.S. Secret Service, IRS Criminal Investigation (IRS-CI), and the FBI, working alongside law enforcement partners from the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
Authorities also unsealed a warrant for the seizure of virtual currency valued at $1,091,453 at the time of seizure. This action was jointly announced by the U.S. Attorney’s Offices for the Eastern District of Virginia and the District of Columbia.
“This action exemplifies the forward-leaning, disruption-first approach we are taking to address this threat,” said Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia. “When it comes to protecting U.S. businesses, critical infrastructure, and other victims from ransomware and other cyberthreat actors, we will pull no punches.”
Assistant Attorney General for National Security John A. Eisenberg commented on the threat posed by BlackSuit: “The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” he said. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”
U.S. Attorney Jeanine Ferris Pirro for the District of Columbia addressed the impact on victims: “Too often we see the damage ransomware causes to systems that then allows cybercriminals to wreak havoc on corporations and others,” she said. “Whether these criminals target law enforcement, other government agencies, or private companies, my office and our law enforcement partners stand ready to go toe-to-toe with criminals and make victims whole.”
Michael Prado, Deputy Assistant Director for HSI’s Cyber Crimes Center (C3), highlighted international cooperation: “Disrupting ransomware infrastructure is not only about taking down servers—it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” he said. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
Christopher Heck, Special Agent in Charge of HSI Washington, D.C., emphasized their commitment: “This investigation reflects the full reach of HSI Washington, D.C.’s cyber mission and our commitment to defending victims—whether they’re small businesses, school systems, or hospitals,” he said. “We will continue to target the infrastructure, finances, and operators behind these ransomware groups to ensure they have nowhere left to hide.”
Special Agent in Charge William Mancino of the U.S. Secret Service’s Criminal Investigative Division described the significance: “This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” he said. “The U.S. Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”
Executive Special Agent in Charge Kareem Carter of IRS-CI Washington Field Office discussed financial aspects: “This announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency,” he said. “Criminal software like the BlackSuit Ransomware group is deployed to steal, extort victims, and launder proceeds of these activities. IRS Criminal Investigation Washington, D.C., Cyber Crimes Unit will continue to work hand in hand with our law enforcement partners to leverage all available tools to identify, apprehend and hold accountable these bad actors and put an end to their illicit activity.”
According to a joint announcement released by HSI,the operation resulted in seizing servers, domains used by BlackSuit Ransomware group for deploying attacks as well as digital assets connected with extortion activities.
A joint advisory from FBI and CISA describes how BlackSuit has targeted sectors such as manufacturing facilities; government offices; healthcare providers; public health entities; as well as commercial sites.The advisory outlines tactics used by attackers so organizations can take steps toward prevention.
BlackSuit typically demands ransom payments via Bitcoin through darknet sites.In one case from April 2023, a victim paid 49 Bitcoin (worth over $1 million at that time) for data decryption; much of those funds were later frozen by an exchange after repeated deposits.
Investigating agencies include HSI; Secret Service; IRS-CI; FBI; UK National Crime Agency; Germany’s Landeskriminalamt Niedersachsen; Ireland’s Garda National Cyber Crime Bureau; France’s Office Anti-Cybercriminalité; Canada’s Royal Canadian Mounted Police & Delta Police Department; Ukraine’s Cyber Police Department; Lithuania’s Criminal Police Bureau.
Prosecutors representing this case are Assistant U.S. Attorney Laura D. Withers (Eastern District of Virginia), Trial Attorney Jacques Singer-Emery (National Security Division), and Assistant U.S. Attorney Rick Blaylock Jr. (District of Columbia).
A copy of this press release can be found on the website of the U.S.Attorney’s Office for the Eastern District of Virginia.
