Cracking down on cybercrime – offenders within the Russian-speaking community exposed
International Cybercrime Group Blacksuit/Royal Dismantled in Coordinated Global Operation
In a significant breakthrough, international investigators have dismantled the Blacksuit/Royal cybercriminal extortion group, a globally active and notorious ransomware group known for double extortion attacks. The operation, led by the Lower Saxony State Criminal Police Office (LKA) in Germany, resulted in the seizure of the group's technical infrastructure.
The Blacksuit/Royal group, which evolved from the Royal ransomware group and is linked to former Conti ransomware operators, has been responsible for high-profile ransomware attacks on various sectors, including government, healthcare, education, IT, manufacturing, and retail.
The group's modus operandi involves encrypting victims' data using ransomware that targets Windows and Linux systems, including VMware ESXi servers. Before encrypting the data, they steal sensitive information and threaten to publish or sell it to extort ransom. This double extortion tactic adds pressure on victims beyond just data unavailability.
To maintain persistent access within victim networks and evade detection, the group uses legitimate remote monitoring and management tools. Unlike other ransomware-as-a-service (RaaS) models, Blacksuit/Royal operates as a private group, with members exclusively using their own developed tools and infrastructure. They demand very large ransoms, reportedly ranging from $1 million up to $60 million per attack, with total ransom demands exceeding $500 million by mid-2024.
The exact location of the infrastructure is not disclosed, but the perpetrators are reportedly based in the Russian-speaking region. So far, there have been no arrests in this investigation complex.
LKA President Thorsten Massinger stated, "With this, we are sending a clear signal in the fight against digital crime." Cybercrime expert Frank Puschin from the LKA reported that several server systems were secured and taken offline in Europe during the investigation.
The shutdown of the servers affected the communication, distribution of malware, and the perpetrators' website. Significant amounts of data were secured at the end of July as part of the long-term planned action. The affected companies come from all sectors, with around 40 registered in Germany and 184 affected companies or institutions worldwide, according to LKA information.
Investigators report that the perpetrators will regroup and continue under another name. They urge victims to report attacks to prevent further incidents. Puschin stated, "The perpetrators have no preference." Subsequently, the data is threatened to be published or sold to extort ransom.
This data is to be evaluated for clarification and identification of those responsible. The total damage caused by the group is over 500 million US dollars (approximately 430 million euros), as established in August 2024. The shutdown of the servers marks a significant step in the fight against digital crime and the dismantling of the Blacksuit/Royal group.
- The global operation to dismantle the Blacksuit/Royal cybercrime group, known for their double extortion attacks, reveals a link between this group and the Conti ransomware operators.
- The seizure of the Blacksuit/Royal group's technical infrastructure, a result of the coordinated global operation, is a significant step towards combating general-news involving technology crimes and justice.
