The U.S. Justice Department announced on Aug 11 that a coordinated international enforcement action against the BlackSuit (Royal) ransomware group had dismantled key parts of its infrastructure and seized more than $1 million in cryptocurrency linked to its operations.

The takedown, carried out on July 24, involved the seizure of four servers and nine domains used by the group. The DOJ did not disclose the location of the seized servers.

“Today's announcement demonstrates IRS Criminal Investigation’s commitment to disrupting the illicit flow of money that enables cyber criminals to illegally launder millions in cryptocurrency,” said Executive Special Agent in Charge Kareem Carter of the IRS-CI Washington Field Office.

“Criminal software like the BlackSuit Ransomware group is deployed to steal, extort victims and launder proceeds of these activities.”

BlackSuit, also known as Royal, has been active since at least September 2022. U.S. agencies say the group has compromised more than 450 known victims across sectors including healthcare, education, energy, public safety and government.

Ransom demands have ranged from $1 million to $10 million, usually payable in Bitcoin. Cybersecurity and Infrastructure Security Agency (CISA) reported the largest known demand from the group reached $60 million.

Ransomware remains one of the most persistent threats to critical infrastructure, with attacks targeting hospitals, utilities, schools and corporations worldwide. The FBI and CISA warn that BlackSuit uses double-extortion tactics, encrypting data while threatening to leak stolen information to force payment.

In 2024, ransomware complaints rose 9% from the previous year, contributing to the $16.6 billion in cybercrime losses reported to the FBI’s Internet Crime Complaint Center.

BlackSuit has received more than $370 million in ransom payments to date, according to the DOJ.

The operation was led by the Department of Homeland Security’s Homeland Security Investigations (HSI), the U.S. Secret Service, IRS Criminal Investigation (IRS-CI), and the FBI, with assistance from law enforcement agencies in the United Kingdom, Germany, Ireland, France, Canada, Ukraine and Lithuania.

“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Deputy Assistant Director Michael Prado of HSI’s Cyber Crimes Center.

“This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”