In a notable international effort, the U.S. Department of Justice, together with law enforcement agencies from Canada, Germany, Ireland, France, the United Kingdom, and others, successfully dismantled key parts of the Russian ransomware gang known as BlackSuit, also linked to the Royal malware.
On July 24, 2025, authorities seized four servers, nine domains, and around $1 million in Bitcoin.
Both BlackSuit and Royal ransomware strains, attributed to the same Russian cybercriminal group, have repeatedly targeted vital sectors in the United States, including healthcare, education, public safety, energy, and government. Since 2022, they have compromised over 450 U.S. victims, extorting more than $370 million in ransom payments.
Using double extortion tactics, the gang encrypts victims’ systems and threatens to release stolen data publicly. A major factor leading to the recent takedown was a large ransom payment of over 49 Bitcoins in April 2023. The funds moved through a cryptocurrency exchange account were frozen in January 2024, allowing recovery of the stolen assets.
“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said John A. Eisenberg, assistant attorney general for National Security.
John Riggi, cybersecurity advisor to the American Hospital Association, added, “The BlackSuit/Royal ransomware group is directly responsible for multiple disruptive attacks against hospitals and health systems, posing a direct risk to patient and community safety. We hope these aggressive law enforcement operations continue at a pace that will meaningfully degrade foreign cyber adversaries’ abilities to harm the American public.”
The investigation was led by Homeland Security Investigations (HSI), part of U.S. Immigration and Customs Enforcement (ICE), in cooperation with various U.S. agencies including the FBI and Secret Service, as well as international partners such as Europol and several European and Canadian law enforcement bodies.
While this action severely impairs BlackSuit’s operations, law enforcement views it as a setback rather than a full eradication. The ongoing prosecution by the U.S. Attorney’s Office for the Eastern District of Virginia, alongside international cooperation, aims to bring the perpetrators to justice.