US authorities, in coordination with international partners, have dismantled key infrastructure belonging to the BlackSuit ransomware gang, seizing around $1 million in cryptocurrency. The Justice Department announced that servers, domain names, and digital wallets linked to the group were taken down in late July following a coordinated operation involving Homeland Security Investigations, the Secret Service, IRS, FBI, and law enforcement agencies from the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.

BlackSuit, believed to be a spinoff of the Royal ransomware group, has been active since 2023, launching persistent attacks on critical sectors including healthcare, manufacturing, government, and commercial facilities. The group uses double-extortion tactics—encrypting victims’ systems while threatening to leak stolen data unless paid in Bitcoin. Since 2022, BlackSuit has targeted over 450 known victims in the US, collecting more than $370 million in ransom payments.

One notable incident in 2023 saw a victim pay 49.3 BTC (worth $1.4 million) to recover their data. A portion of those funds, equaling the seized $1 million, was traced through multiple deposits and withdrawals at a cryptocurrency exchange before being frozen in early 2024. BlackSuit’s ransom demands typically range from $1 million to $10 million in Bitcoin, with its largest known demand reaching $60 million.

Officials say the takedown is part of a broader crackdown on ransomware gangs, following recent actions against groups like Aeza Group and Chaos. Cybersecurity experts warn, however, that new ransomware operations—such as Embargo, suspected to be linked to BlackCat—are emerging, keeping the threat alive.

Homeland Security’s Michael Prado emphasized that dismantling ransomware groups is about “removing the entire ecosystem” that allows them to operate unchecked, underscoring the US’s commitment to targeting the financial and operational backbone of cybercrime networks.