The ransomware group BlackSuit has lost control of its dark web infrastructure following a coordinated international law enforcement operation on July 24.
Visitors to the group’s leak site via The Onion Router (TOR) encountered a seizure banner posted by the U.S. Department of Homeland Security Investigations.
The takedown, dubbed Operation Checkmate, was carried out with support from the U.S. Department of Justice, Europol, and cybersecurity firm Bitdefender, alongside 16 other agencies from nine countries.
BlackSuit, active since May 2023, is responsible for more than 180 ransomware attacks across critical infrastructure, healthcare, and industrial sectors. The group is believed to be a successor of the Royal and Conti ransomware gangs.
BlackSuit Major Disruption in Africa
One of BlackSuit’s most damaging attacks occurred in Africa in June 2024, when it targeted South Africa’s National Health Laboratory Service (NHLS). The NHLS runs over 250 labs that provide critical diagnostics for HIV, tuberculosis, and cancer.
The attack encrypted internal systems and disrupted operations for days, delaying over 6.3 million test results. NHLS email, test result portals, and IT networks were shut down, forcing labs to revert to manual processes. Several medical appointments and surgeries were cancelled as a result.
BlackSuit demanded a ransom using its double extortion method—threatening to publish stolen data unless paid. While it is unclear what data was taken, it was reported an estimated 1.2 terabytes of data were stolen.
The impact was national. Public healthcare services slowed significantly, and the disruption raised serious concerns over patient safety and data protection.
A Temporary Setback
While BlackSuit’s sites are offline, none of its members have been arrested. Cybersecurity analysts warn the group may re-emerge under a different name.
Cisco Talos has already linked a new ransomware group, Chaos, to former BlackSuit operators, citing similarities in tools and ransom notes.
Since its emergence, BlackSuit has demanded over $500 million in ransom payments, with demands ranging from $1 million to $60 million.
The seizure of its infrastructure marks a tactical win for global law enforcement. However, without arrests or a full dismantling of the group, the risk of further attacks remains.
Governments and organizations are being urged to strengthen cybersecurity protocols and incident response plans to guard against future ransomware threats.
About Author
