{
	"id": "4ea2a9d0-c9de-4f02-9e4d-65b5fc969c2a",
	"created_at": "2026-04-06T00:22:05.119033Z",
	"updated_at": "2026-04-10T03:29:40.135021Z",
	"deleted_at": null,
	"sha1_hash": "746100da7c3911c83efd5870f8b8e4b86eeed7bc",
	"title": "BlackSuit ransomware extortion sites seized in Operation Checkmate",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4496649,
	"plain_text": "BlackSuit ransomware extortion sites seized in Operation Checkmate\r\nBy Sergiu Gatlan\r\nPublished: 2025-07-24 · Archived: 2026-04-05 18:14:04 UTC\r\nLaw enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and\r\nbreached the networks of hundreds of organizations worldwide over the past several years.\r\nThe U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the\r\naction executed a court-authorized seizure of the BlackSuit domains.\r\nEarlier today, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the\r\nransomware gang's sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as\r\npart of a joint international action codenamed Operation Checkmate.\r\nhttps://www.bleepingcomputer.com/news/security/law-enforcement-seizes-blacksuit-ransomware-leak-sites/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/law-enforcement-seizes-blacksuit-ransomware-leak-sites/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement\r\ninvestigation,\" the banner reads.\r\nBleepingComputer has confirmed that the seized sites include dark web data leak blogs and negotiation sites used to extort\r\nvictims into paying ransom demands.  \r\nOther law enforcement authorities that participated in this joint operation include the U.S. Secret Service, the Dutch\r\nNational Police, the German State Criminal Police Office, the U.K. National Crime Agency, the Frankfurt General\r\nProsecutor's Office, the Justice Department, the Ukrainian Cyber Police, Europol, and others.\r\nA spokesperson for Romanian cybersecurity company Bitdefender also told BleepingComputer that its cybercrime unit\r\n(known as Draco Team) provided cybersecurity consulting and guidance to law enforcement partners throughout Operation\r\nCheckmate.\r\n\"We commend our law enforcement partners for their coordination and determination. Operations like this reinforce the\r\ncritical role of public-private partnerships in tracking, exposing, and ultimately dismantling ransomware groups that operate\r\nin the shadows,\" Bitdefender said.\r\nBlackSuit seizure banner (BleepingComputer)\r\nChaos ransomware rebrand\r\nOn Thursday, the Cisco Talos threat intelligence research group reported that it had found evidence suggesting the BlackSuit\r\nransomware gang is likely to rebrand itself once again as Chaos ransomware.\r\n\"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit\r\n(Royal) ransomware or operated by some of its former members,\" the researchers said. \r\n\"This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the\r\nransom note, and the use of LOLbins and RMM tools in their attacks.\"\r\nBlackSuit started as Quantum ransomware in January 2022 and is believed to be a direct successor to the notorious Conti\r\ncybercrime syndicate. While they initially used encryptors from other gangs (such as ALPHV/BlackCat), they deployed\r\ntheir own Zeon encryptor soon after and rebranded as Royal ransomware in September 2022.\r\nIn June 2023, after targeting the City of Dallas, Texas, the Royal ransomware gang began working under the BlackSuit\r\nname, following the testing of a new encryptor called BlackSuit amid rumors of a rebranding.\r\nhttps://www.bleepingcomputer.com/news/security/law-enforcement-seizes-blacksuit-ransomware-leak-sites/\r\nPage 3 of 4\n\nCISA and the FBI first revealed in a November 2023 joint advisory that Royal and BlackSuit share similar tactics, while\r\ntheir encryptors exhibit obvious coding overlaps. The same advisory linked the Royal ransomware gang to attacks targeting\r\nover 350 organizations worldwide since September 2022, resulting in ransom demands exceeding $275 million.\r\nThe two agencies confirmed in August 2024 that the Royal ransomware had rebranded as BlackSuit and had demanded over\r\n$500 million from victims since surfacing more than two years prior.\r\nUpdate 7/24/25: Updated article to include that negotiation sites were seized as well.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/law-enforcement-seizes-blacksuit-ransomware-leak-sites/\r\nhttps://www.bleepingcomputer.com/news/security/law-enforcement-seizes-blacksuit-ransomware-leak-sites/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/law-enforcement-seizes-blacksuit-ransomware-leak-sites/"
	],
	"report_names": [
		"law-enforcement-seizes-blacksuit-ransomware-leak-sites"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434925,
	"ts_updated_at": 1775791780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/746100da7c3911c83efd5870f8b8e4b86eeed7bc.pdf",
		"text": "https://archive.orkl.eu/746100da7c3911c83efd5870f8b8e4b86eeed7bc.txt",
		"img": "https://archive.orkl.eu/746100da7c3911c83efd5870f8b8e4b86eeed7bc.jpg"
	}
}