German prosecutors have announced that a joint U.S.-European operation successfully seized infrastructure belonging to the BlackSuit ransomware gang, a notorious hacking group responsible for multiple major cyberattacks in recent years.
In a recent statement, officials in Germany revealed that the operation, conducted on July 24, led to the seizure of the gang’s servers and systems. Authorities secured significant amounts of data, which will aid in identifying those behind the attacks. The servers were shut down, effectively disabling the ransomware malware.
BlackSuit reportedly had 184 victims worldwide, including several in Germany. At the time of the announcement, the gang’s dark web leak site, used to extort victims by publishing stolen files, was no longer accessible. Instead, it displayed a seizure notice confirming the site had been taken down by a coordinated international law enforcement effort.
The operation was carried out with assistance from ICE’s Homeland Security Investigations unit and Europol, according to German officials. While U.S. authorities reportedly disclosed the seizure earlier in the week, it remains unclear whether any arrests were made.
BlackSuit has been one of the most active ransomware groups in recent years, targeting U.S. cities such as Dallas, as well as organizations in manufacturing, communications, and healthcare. In 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the gang had rebranded from Royal to BlackSuit.
Ransomware gangs often rebrand or merge with other groups to evade government sanctions that hinder their ability to profit from cyberattacks. Security researchers have since linked a new ransomware group called Chaos to former members of the BlackSuit gang.