Surge in Chaos Ransomware Linked to BlackSuit Group Departure

In a significant international effort, Operation Checkmate has dismantled BlackSuit, a ransomware group responsible for leveraging ransom demands that totaled over half a billion dollars against hundreds of victims. The U.S. Department of Homeland Security Investigations announced on Thursday that they seized the group’s dark web data-leak blog and negotiation sites, which have since redirected to a takedown notice.

This operation, involving over a dozen law enforcement entities—including the FBI and the U.S. Department of Justice—alongside the UK’s National Crime Agency and Ukraine’s Cyber Police, was supported by Europol. Following disruptions, BlackSuit has reported ransom demands ranging from $1 million to $10 million, with one extreme case reaching $60 million, all demanded in Bitcoin. A joint alert from the FBI and CISA, dated August 2024, tied the group to significant ransom seizures exceeding $500 million.

Bitdefender, a security firm that facilitated the operation with threat intelligence, noted that BlackSuit emerged in summer 2023 and had listed more than 185 victims who refused to pay ransoms on its data-leak platform. There are instances where victims paid ransoms, yet the group failed to uphold their end of the bargain. Notably, they leaked data from a known victim even after securing nearly $3 million in ransom.

The timing of this disruption appears to coincide with BlackSuit’s strategic efforts to rebrand itself as “Chaos” ransomware, which targets organizations with increased sophistication and malicious intent. Cisco Talos, in a recent assessment, reported a moderate confidence that Chaos ransomware was created by former BlackSuit members, citing similarities in attack methodology, including encryption methods and ransom note formats.

The tactics employed by BlackSuit included “low-effort spam flooding” and escalating social engineering techniques to gain access to target systems, typically culminating in the installation of remote monitoring tools to maintain persistent access and facilitate data exfiltration. The group’s techniques closely align with the MITRE ATT&CK framework, indicating potential uses of initial access, persistence, and privilege escalation methods for their operations.

BlackSuit, previously known as Royal, began its operations following a rebranding in mid-2023 and emerged from the infamous Russian-speaking Conti group initially as Quantum. Conti’s downfall came after its leadership publicly supported the Russian government’s aggressive actions against Ukraine, leading to a decrease in ransom payments from concerned corporations wary of sanctions.

In contrast, BlackSuit’s leadership has adopted a more discreet operational approach, distancing itself from the infamous reputation of Conti. Bitdefender noted that this shift in strategy has enabled them to evade scrutiny, operating privately rather than as a ransomware-as-a-service model.

Yelisey Boguslavskiy from RedSense disclosed on LinkedIn that BlackSuit seemed to be the largest Russian-speaking ransomware group apart from DragonForce but had largely diminished its public presence since January due to its connections to Conti. Its operational security strategies appear to have been effective, particularly following the Operation Checkmate takedowns, which paused its growth plans for the rebranded Chaos group.

As of now, while Operation Checkmate has hindered BlackSuit’s operations, the potential for its resurgence remains, leaving the cybersecurity landscape vigilant regarding the shadowy maneuvers of one of the largest ransomware collectives to date.