In a major step against cybercrime, security agencies from around the world have joined forces to take down the dark web websites used by the ransomware group BlackSuit, known for targeting the networks of hundreds of organizations globally in recent years.
The U.S. Department of Justice (DOJ) confirmed on Thursday, July 24, 2025, the seizure of the domains used by BlackSuit operators, in a coordinated action with multiple countries and authorized by a court order.
Since this morning, anyone trying to access BlackSuit’s .onion sites is met with a clear warning: a seizure banner stating that the domains have been taken over by the U.S. government as part of a joint operation called “Operation Checkmate.”
“This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation,” reads the notice now replacing the original content.
The operation was not a standalone effort. In addition to Homeland Security Investigations (HSI), other high-level agencies were involved, including the U.S. Secret Service, the Netherlands National Police, the German State Criminal Police Office (LKA), the United Kingdom’s National Crime Agency (NCA), the Frankfurt Public Prosecutor’s Office, the U.S. Department of Justice, Ukraine’s Cyber Police, Europol, and others.
This coordinated action marks a significant blow against one of the most active ransomware groups in recent times. It also sends a clear message: even on the dark web, digital criminals are not beyond the reach of justice.
Banner de incautación de BlackSuit
History repeats itself in the world of ransomware, and this time it’s BlackSuit, a familiar name to cybersecurity researchers. According to a recent report by Cisco Talos’ threat intelligence team, all signs point to the group rebranding once again, now operating under the identity of Chaos ransomware.
“We assess with moderate confidence that the new Chaos ransomware group is a reincarnation of BlackSuit (formerly Royal) or is being operated by former members of the same group,” explained Cisco Talos.
Experts reached this conclusion by analyzing a series of technical and tactical similarities (TTPs). For example:
Nearly identical encryption commands
Very similar structure and language in the ransom notes
Use of known tools like LOLBins (legitimate binaries used for malicious purposes) and remote monitoring and management (RMM) software
All of this suggests that this is not an entirely new group, but rather a new face for an operation with a long history.
Read more: Lumma Infostealer Malware Returns After Police Crackdown
To understand this shift, we need to look back. BlackSuit’s history is marked by several identity changes:
January 2022 – The group emerges as Quantum ransomware, possibly as a direct successor to the infamous Conti collective.
September 2022 – They rebrand as Royal ransomware, moving away from borrowed encryptors and launching their own tool: Zeon.
June 2023 – After a high-profile attack on the city of Dallas, Texas, they begin operating under a new name: BlackSuit, following tests of their new BlackSuit encryptor.
2025 – Strong signs emerge that the group has rebranded once again, this time as Chaos ransomware.
This pattern is nothing new. Many ransomware groups periodically reinvent themselves to evade authorities, divert attention, or simply refresh their image and tactics.
Despite the name changes, researchers agree that these are different faces of the same operation—or at least operated by individuals who have worked together before. This has been confirmed by U.S. cybersecurity authorities.
As early as November 2023, a joint advisory from the FBI and CISA (Cybersecurity and Infrastructure Security Agency) warned about striking similarities between Royal and BlackSuit, both in their code and attack methods.
By August 2024, both agencies officially confirmed what had already been suspected: BlackSuit was the new name for Royal ransomware. The same advisory revealed that, since its inception, the group had attacked over 350 organizations worldwide, demanding more than $500 million in ransom.
For organizations and cybersecurity experts, this rebranding doesn’t mean the group has vanished. On the contrary—it could be a sign they are refining their techniques and expanding their reach.
The Chaos ransomware name has been used in other malicious contexts before, but this new variant appears to be more closely aligned with the evolution of BlackSuit/Royal. For now, the technical similarities are strong enough to establish a link, though researchers will continue monitoring their activity to confirm it more definitively.
Read more: Ransomware in Mexico: Cyberattacks Cause Major IT Sector Losses
Whether they go by BlackSuit, Royal, or Chaos, these groups tend to use similar tactics: initial access via phishing or vulnerabilities, lateral movement within the network, data theft, and then mass encryption. To reduce risks, the best practices remain the same—and more relevant than ever:
Implement secure, offline backups. Offline or immutable backups are key to preventing ransomware from encrypting them too.
Keep all systems updated, especially critical security patches that address known vulnerabilities.
Enable multi-factor authentication (MFA) for all sensitive access points, particularly admin accounts and remote access.
Train employees to recognize suspicious emails, misleading links, and phishing attacks. The human factor remains one of the weakest links.
Monitor network traffic and use modern detection and response tools like EDR or XDR to identify abnormal behavior in real time.
Extra Tip: If you're looking for a reliable and robust solution to protect your data against ransomware, TecnetProtect Backup is an excellent choice. Powered by Acronis’ renowned technology, it offers advanced defense against threats like malicious encryption with proactive detection, automatic file recovery, and comprehensive backup protection.
With TecnetProtect Backup, you can:
Detect and block ransomware attacks in real time using advanced behavioral analysis.
Automatically recover files in case of malicious encryption attempts.
Protect backups from tampering, ensuring they remain intact and accessible even if the main system is compromised.
Isolate suspicious processes and prevent them from affecting the backup environment.
Implement encrypted and digitally signed backups, ensuring authenticity and confidentiality.
These types of solutions not only enable rapid data restoration after an attack but also reduce downtime and economic impact in the event of an incident.
Additionally, if you belong to a critical or essential organization (like healthcare, energy, transportation, etc.), consider establishing a ransomware-specific incident response plan. This plan should include defined roles, reaction timelines, communication channels, and recovery protocols.
The potential rebranding of BlackSuit to Chaos ransomware isn’t surprising—but it’s a powerful reminder: ransomware continues to evolve, adapt, and reorganize to operate in the shadows.
Businesses must stay vigilant—not just to the changing names, but to the recurring tactics and patterns behind these groups. Meanwhile, security experts and agencies will continue tracking Chaos, looking for further clues to confirm its true identity. So, is your company ready to face Chaos and other cybercrime threats?