Cybercrime combat operations - offenders in the Russian-speaking cyber realm
International Takedown of Blacksuit/Royal Cybercriminal Gang
A significant blow has been dealt to the cybercrime world with the recent dismantling of the Blacksuit/Royal group, a notorious ransomware gang responsible for causing over 500 million USD (approximately 430 million EUR) in damage worldwide. The takedown, codenamed "Operation Checkmate", was carried out by international investigators in July 2025.
The Blacksuit/Royal group, originally known as Royal ransomware, rebranded in 2022 and is linked to the disbanded Conti ransomware operation. They have been active since around 2023, targeting a wide range of industries globally, including government, healthcare, education, manufacturing, retail, and IT.
The gang is known for sophisticated ransomware attacks involving double extortion, where they first steal data and then encrypt it, threatening to publish or sell the stolen data unless a ransom is paid. They focus on both Windows and Linux systems, including VMware ESXi servers, and avoid a ransomware-as-a-service (RaaS) affiliate model, operating instead as a closed group developing their own tools.
Notable attacks include the May 2023 City of Dallas breach and April 2024 attack on Octapharma Plasma in the US, affecting over 160 blood plasma centers. They also targeted CDK Global, a major software provider for thousands of North American car dealerships, causing an estimated $1 billion in operational disruption.
The Blacksuit/Royal group demanded over $500 million in ransom payments by August 2024, with individual demands ranging from $1 million to $60 million. The takedown operation has disrupted their communication, malware spread, and website, making it difficult for them to continue their operations.
However, investigators assume that the perpetrators will regroup and continue under a different name. The exact location of the infrastructure is not being disclosed, but investigators have reported 184 affected companies or institutions worldwide, with around 40 registered in Germany. The early identification of victims in Hanover allowed the LKA Lower Saxony to play a significant role in the investigation, coordinating with all other federal states and the Federal Criminal Police Office.
The investigation is complex and ongoing, with significant amounts of data secured at the end of July for analysis to identify those responsible. As of now, no arrests have been made in this investigation, and no money has been secured. Disrupting the infrastructure is a step that should generate further leads, according to Puschin.
The attacks carried out by the Blacksuit/Royal group involve double extortion, where data is both encrypted and stolen beforehand. Affected companies come from various sectors, according to LKA reports. The shutdown of servers associated with the Blacksuit/Royal group has disrupted their communication, malware spread, and website, making it difficult for them to continue their operations.
Despite this significant victory, the fight against cybercrime continues. As technology evolves, so too does the threat landscape, and it is crucial that law enforcement agencies remain vigilant and adaptable in their efforts to protect citizens and businesses from these malicious actors.
References:
- Krebs on Security
- Bleeping Computer
- CyberScoop
- ZDNet
- The Blacksuit/Royal cybercriminal gang, infamous for causing over $500 million in damages globally through double extortion attacks on various sectors, has faced a major setback with their disruption in the international takedown operation "Operation Checkmate."
- Amidst the victory of the takedown, there is concern that the perpetrators will regroup under a different name, highlighting the ongoing challenge of maintaining general-news headlines free from crime-and-justice threats in the rapidly advancing technology landscape.
