272/68 Tuesday, July 29, 2025
International law enforcement agencies have taken down the .onion websites operated by the BlackSuit ransomware group, which were used to leak victim data via the TOR network. A seizure banner displayed on the sites confirms the operation was led by U.S. Homeland Security Investigations (HSI), featuring logos from 17 international agencies and cybersecurity company Bitdefender. BlackSuit is known for its aggressive attacks on critical infrastructure sectors, including industry, healthcare, government, and manufacturing facilities across multiple countries.
BlackSuit has been active since April 2023 and is widely believed to be a rebrand of Royal Ransomware, which the FBI and CISA have linked to the Conti cybercrime syndicate, associated with Russian-based threat actors. The group exploited access through various means, such as phishing, website vulnerabilities, VPN credential theft, and tools like Mimikatz, Cobalt Strike, GMER, and malware such as Ursnif to infiltrate networks and exfiltrate data. Victims were typically extorted for ransom payments ranging from $1 million to $10 million, under threat of having their stolen data leaked via Tor sites if payment was not made.
The FBI and CISA have urged organizations to follow mitigation strategies outlined in their Joint Cybersecurity Advisory (CSA), last updated in August 2024. The advisory includes the group’s Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IoCs), and best practices to reduce the risk posed by BlackSuit. These recommendations are particularly emphasized for entities in critical infrastructure sectors under the #StopRansomware campaign to enhance resilience against ransomware threats.
