Investigation halts coercive software, affecting approximately 200 individuals
The Blacksuit/Royal group, a notorious ransomware cybercrime organization, finds itself in hot water following a significant international crackdown. This operation, known as Operation Checkmate, has disrupted the group's operations and secured a vast amount of stolen data.
The Blacksuit/Royal group, which evolved from the Royal group and has ties to former members of the Conti ransomware gang, has been a thorn in the side of large enterprises and various industries for some time. Their activities have included conducting ransomware attacks, encrypting victims' data, and demanding ransoms to restore access, often using sophisticated tactics such as double extortion. This tactic involves threatening to release stolen data publicly in addition to encrypting it.
The group has targeted high-profile organizations and sectors, causing substantial financial damages. For instance, they disrupted the operations of Octapharma Plasma at over 160 plasma centers across the US, caused about $1 billion in losses at CDK Global, a major software provider for North American car dealerships, and targeted the City of Dallas municipal services, among others.
The Blacksuit/Royal group's extortion demands have accumulated to over $500 million, with individual ransom demands ranging from $1 million to $60 million. By mid-2025, the group had claimed roughly 200 victims, and as Royal, they had hit over 350 organizations.
The group operated as a private ransomware entity, not offering ransomware-as-a-service (RaaS) or affiliate programs. Their members are believed to originate from regions such as Russia or Ukraine and have adapted careful operational security post-Conti leaks.
Law enforcement agencies from multiple countries, supported by US Homeland Security Investigations, FBI, Europol, and others, executed Operation Checkmate, seizing BlackSuit’s dark web leak and ransom negotiation sites. This action has taken down their communication, malware distribution, and website.
The press conference in Hannover today at 12:30 PM is expected to provide more information about the Blacksuit/Royal group's attacks and the ongoing operation against them. Further details about the investigative success against the group will be shared, including new insights into their tactics and potential updates on the progress made in identifying those responsible for the group's activities. The conference may also reveal additional details about the data secured during the operation.
Authorities are urging victims to report attacks to prevent further incidents. The LKA President, Thorsten Massinger, has stated that this action sends a clear signal against digital crime. The LKA has pledged to meet attacks on companies, public institutions, and private individuals with all available means.
It is important to note that even if victims restore their files, the perpetrators of the Blacksuit/Royal group's attacks retain a copy of the stolen data. Therefore, it is crucial for victims to remain vigilant and take necessary precautions to protect their data.
In summary, the international crackdown on the Blacksuit/Royal group marks a significant step in the fight against ransomware attacks. The operation has disrupted the group's operations, secured stolen data, and sent a clear message against digital crime. The press conference in Hannover today promises to provide valuable insights into the group's activities and the ongoing operation against them.
The Blacksuit/Royal group's activities, primarily focused on ransomware attacks and data theft, have been a significant concern in the realm of cybersecurity, falling under the category of general-news and crime-and-justice. With their sophisticated techniques like double extortion and large-scale targets, they have caused substantial financial losses in various industries, as seen in events such as the disruption of Octapharma Plasma's operations and the $1 billion loss at CDK Global. Recently, international law enforcement agencies, including the FBI and Europol, executed Operation Checkmate, seizing the group's dark web sites and disrupting their operations, thereby securing a vast amount of stolen data. This development in technology has marked a significant step in the fight against ransomware attacks, sending a clear message against digital crime.
