The notorious ransomware group BlackSuit has suffered a significant disruption after international law enforcement seized its dark web leak site. The takedown, confirmed by a Department of Justice email and first spotted by BleepingComputer, is part of Operation Checkmate—a multi-agency initiative led by US Homeland Security Investigations (HSI).
“This site has been seized by US Homeland Security Investigations as part of a coordinated international law enforcement investigation,” reads the banner now replacing BlackSuit’s leak site.
Sixteen agencies are listed as part of the coordinated operation. These include Europol, the UK’s National Crime Agency (NCA), the Office of Foreign Assets Control (OFAC), Bitdefender, and law enforcement agencies from Canada, Ireland, France, Germany, Ukraine, and Lithuania.
BlackSuit had previously targeted hundreds of victims across critical infrastructure sectors, demanding more than $500 million in ransomware payments. The seized data leak site had listed over 180 victims, with one individual ransom demand reaching $60 million.
Although BlackSuit appeared publicly only in mid-2023, security experts have long suspected it to be a rebrand of the Royal ransomware gang, which was active from September 2022 to June 2023. Both groups shared overlapping TTPs (tactics, techniques, and procedures), code similarities, and ransom note styles.
The U.S. government had earlier issued a joint advisory on BlackSuit, warning organizations about its use of double extortion tactics—encrypting systems while simultaneously stealing data to pressure victims into payment.
BlackSuit’s Successor Likely Operating Under ‘Chaos’ Ransomware Name
Following the BlackSuit disruption, security analysts now believe that its operators may have rebranded again—this time as the Chaos ransomware gang. According to a recent Cisco Talos Incident Response report, Chaos has been active since February 2025 and appears to continue the same pattern of big-game hunting and double extortion attacks.
“The new group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks,” the report notes with moderate confidence.
Chaos ransomware is currently being promoted as a Ransomware-as-a-Service (RaaS) offering on Russian-language cybercrime forums. The malware advertises the capability to target Windows, ESXi, Linux, and NAS systems.
Importantly, security researchers emphasized that this group has no connection with the earlier malware development tool also called Chaos. The name reuse appears to be a deliberate attempt to sow confusion and evade attribution.
So far, the new Chaos leak site has listed 10 victims, with average ransom demands of around $300,000. The ransom model includes a unique coercion tactic—offering victims a “decryptor application and a detailed penetration test report” if payment is made. Otherwise, they are threatened with data leaks and DDoS attacks.
While law enforcement has dealt a major blow to BlackSuit, the continued emergence of rebranded operations like Chaos highlights the persistent challenge posed by ransomware-as-a-service gangs in the global threat landscape.
