Written by: Ekrem Selcuk Celik

The future of the BlackSuit ransomware group remains uncertain, even after a decisive government takedown. In an operation dubbed “Operation Checkmate,” authorities seized servers, domains, and millions in cryptocurrency, yet the question lingers: if their operation was crippled, why is the risk still high? The answer lies in what wasn’t accomplished—no arrests were made. This is the crucial point for anyone responsible for cybersecurity and third-party risk professionals, and it’s why Black Kite always keeps a finger on the pulse of ransomware threat actors so you can stay informed. In this article, we’ll dive into the full story, detailing how a group that has targeted over 278 companies remains a dangerous and persistent threat.

The Backstory of BlackSuit (aka Royal)

At the start of 2023, the group operating as Royal burst onto the scene. In the first half of the year they were very active and listed 118 companies. Roughly 65% of those were in the U.S., about 8% in the U.K., and about 8% in Germany.

In June 2023, they continued under the BlackSuit name and have posted around 160 victims to date. About 70% are U.S.-based, with the rest spread across other countries, led by the U.K. The FBI/CISA update on August 7, 2024 officially confirmed that Royal’s operators had resurfaced as BlackSuit.

Both groups favored almost the exact same sectors. One clear difference: compared to Royal, BlackSuit went after healthcare and construction more often.— Tthis shows up in the numbers.

Two sharp supply-chain examples:

  • CDK Global (Jun 2024) – DMS/CRM outages affecting 10–15k+ dealerships across North America; many dealers reverted to manual processes.
  • Octapharma Plasma (Apr 2024) – 150+ donation centers temporarily shut; direct impact on health/plasma supply.

Combined, the companies Royal and BlackSuit listed account for over $50B in annual revenue. Note: this is not “loss.” It’s the sum of the annual revenue of firms named on leak sites (based on 118 + 160 posts).

“Operation Checkmate”: The Government’s Campaign to Take Down BlackSuit

On July 24, we at Black Kite observed multiple BlackSuit domains being seized and replaced with an HSI (DHS) “Operation Checkmate” seizure banner.

The Department of Justice made it official on August 11, 2025: 4 servers and 9 domains were taken down; about $1,091,453 in laundered crypto was seized (traced back to a 49.3120227 BTC ransom on April 4, 2023; the exchange freeze occurred on January 9, 2024).

Servers and crypto were seized, but absent arrests, regrouping is only a matter of time.

It was officially announced that the group’s 4 servers and 9 domains were taken down and that ~$1.09M in crypto was seized following a roughly 49 BTC ransom paid on April 4, 2023 and frozen on January 9, 2024. No arrests were announced; so while the infrastructure/financial hit matters, the risk of rebranding and reorganizing remains.

For the past two years, Royal/BlackSuit’s overall pattern hasn’t really changed. There are small shifts by country and industry, but the continuity is clear. CISA’s August 7, 2024 update confirms the Royal → BlackSuit evolution, and we also see similar TTPs in the wild. (In this space, there are plenty of cases where operators return under new names after pressure—another reason “a matter of time” is a fair assessment.)

What’s Next for BlackSuit? (And Your TPRM Program)

Despite the recent law enforcement action, the threat from the BlackSuit ransomware group is far from over. As history has shown with other cybercriminal syndicates, takedowns without arrests often lead to a re-emergence under a new name. The Black Kite Research Group will continue to keep a close eye on the situation, monitoring for any new developments or shifts in the ransomware landscape. We remain committed to providing our community with the timely and critical intelligence needed to stay ahead of these persistent and evolving threats.

References

  • Black Kite dataset – Regional/sector breakdown and the “$50B+” (sum of annual revenues; 118 + 160 cases).
  • FBI/CISA Cybersecurity Advisory (Aug 7, 2024) – Confirmation of Royal’s rebrand to BlackSuit and TTP/IOC summary.
  • U.S. Department of Justice (DOJ) – Aug 11, 2025 – Operation Checkmate; 4 servers + 9 domains; $1,091,453 crypto seizure; link to 49.3120227 BTC ransom; Jan 9, 2024 freeze.