The U.S. Immigration and Customs Enforcement (ICE) said it has taken down servers operated by a Russian ransomware group that compromised over 450 victims within the United States in just over two years.
The ICE Homeland Security Investigations (HSI) dismantled critical infrastructure used by BlackSuit ransomware, which the agency called a “major cybercriminal operation” that compromised 450 victims in the United States and received around $370 million in payments since 2022.
The cybergroup behind BlackSuit and Royal ransomware targeted healthcare, education, public safety, energy, and government sectors, according to ICE.
“The ransomware schemes used double-extortion tactics — encrypting victims’ systems while threatening to leak stolen data to further coerce payment,” ICE said in an Aug. 7 press release.
According to a pursuant statement from Department of Justice (DoJ) officials, the coordinated effort between ICE HSI, DoJ, U.S. Secret Service, FBI, IRS Criminal Investigation, and international partners in Europe and Canada took down four servers and nine domains operated by BlackSuit in late July.
Those actions resulted in the seizure of over $1 million in seized funds, according to the DoJ.
“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said John Eisenberg, assistant attorney general for National Security. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”
The Department of Health and Human Services reported that BlackSuit was first spotted in May 2023, rebranding itself from its previous name of Royal. The group came from the now-defunct Conti syndicate that split in 2022. It typically uses double-extortion methods, with ransom demands ranging from $1 million to $60 million.
As of late 2024, BlackSuit actors had demanded over $500 million in total, according to the Cybersecurity and Infrastructure Security Agency.
While the action dismantled parts of BlackSuit’s operations, it likely did not stop ransomware attacks from the cyber group.
“We will continue to target the infrastructure, finances and operators behind these ransomware groups to ensure they have nowhere left to hide,” said HSI Washington, D.C. acting Special Agent in Charge Christopher Heck.