The U.S. Department of Homeland Security says the criminal groups behind the Royal and BlackSuit ransomware operations compromised more than 450 U.S. organizations and collected roughly $370 million in ransom payments before law enforcement disrupted their infrastructure. Homeland Security Investigations led the takedown with international partners in an action that included seizing extortion domains.
Scope of the campaign and the takedown
According to HSI, the campaign ran since 2022 and affected organizations across multiple sectors. The agencies say the groups used double-extortion tactics, encrypting systems and threatening to publish stolen data to force payments. The U.S. Department of Justice announced on July 24 that several BlackSuit leak sites were seized and replaced with law-enforcement banners as part of Operation Checkmate.
“Since 2022, the Royal and BlackSuit ransomware groups have compromised over 450 known victims in the United States, including entities in the healthcare, education, public safety, energy and government sectors,” the HSI statement reads.
Affected sectors included:
- Healthcare, education and public safety
- Energy and government entities
Origins, rebrands and tools used by the groups
The criminal operation first appeared as Quantum ransomware in January 2022 and is widely considered a successor to the Conti syndicate. The actors later developed their own Zeon encryptor and rebranded as Royal in September 2022. After testing a new encryptor in mid-2023 and following high-profile incidents such as an attack on the City of Dallas, the group began operating under the BlackSuit name.
Federal agencies previously linked the group to hundreds of global incidents. A November 2023 advisory from CISA and the FBI connected Royal/BlackSuit to attacks on more than 350 organizations. An August 2024 advisory noted continued activity and high ransom demands over the group’s lifetime.
Evidence of another rebrand to “Chaos”
Researchers at Cisco Talos reported traces suggesting the group may reappear under the name Chaos ransomware. Talos found similarities in tactics, techniques and procedures—encryption commands, ransom note structure, and use of living-off-the-land binaries and remote management tools—that point to reuse of methods by the same or closely linked actors.
“Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members,” the Talos analysis states.
Impact, payments and international response
HSI says the groups collected more than $370 million in cryptocurrency value from victims. Law enforcement action disrupted the gang’s extortion infrastructure and brought public seizure notices to several leak sites. Authorities described the takedown as an international effort involving multiple partners and aimed at halting ongoing extortion activity.
The DOJ seizure and DHS reporting do not end ongoing investigations. The agencies continue to publish guidance and advisory products to help organizations assess exposure and respond to similar threats.
