The US Department of Homeland Security (DHS) says that the cyber crime gang broke hundreds of American companies before the Royal and BlackSit ransomware operations went down last month.
Homeland Security Investigations (HSI), the main investigative branch of DHS, which took down the group’s infrastructure in collaboration with international law enforcement partners, said the cyber criminal also collected more than $ 370 million from its victims.
“Since 2022, Royal and Blacksuit ransomware groups have tied up with more than 450 known victims in the United States, including institutions in healthcare, education, public security, energy and government sectors,” HSI said In a press release on Thursday.
“Jointly, groups have received more than $ 370 million in ransom payment, based on the current assessment of cryptocurrency. Rainmware schemes used double-exposure strategy using the double-exposure strategy, while encrypting the systems of the victims, while threatened to leak data to pursue the stolen data.”
On July 24, the US Department of Justice confirmed that the law enforcement seized the dark web extortion domain of BlackSit, replacing the content of the leakage sites of the gang with seizure banners as part of a joint international action codeinemade operation checkmate.
The cybercrime group behind these two ransomware operations came in January 2022 as quantum ransomware and was believed to have been considered the successor of the infamous Conty Cybercrime Syndicate. While he initially deployed encrypters from other groups (eg Alphvi/Blackcat), he later developed his own zone encrypter, rebranding as a Royal Rainmware in September 2022.
In June 2023, after targeting the city of Dallas, Texas and testing a new encrypter called BlackSit, the Royal Rainmuch Gang swung to the blacksit brand.
The CISA and FBI confirmed in the joint advisor of November 2023 that the Royal and BlackSit shared a similar strategy, the Royal Rainmware Gang was added to attack over 350 organizations worldwide since September 2022, resulting in over 275 million $ 275 million.
In August 2024, a joint advisor of the two agencies later confirmed that Royal Rancemware had resumed as a blackcit and demanded over $ 500 million from the victims since more than two years emerged for more than two years.
Chaos ransomware ribrand
Since the infrastructure of the Black Cit was destroyed, the Cisco Talos Threat Intelligence Research Group has found evidence that the BlackSit Rainmine Gang suggests that now the chaos will rebrand itself again as ransomware.
Cyber criminal’s new Rainmine-A-A-Service (RAAS) operation has already been linked to double extortion attacks, where they use voice-based social engineering for access and deploy an encrypter that targets both local and remote storage for maximum damage.
“Tellos believes that the new Caos Rainmware is unrelated to the previous chaos builder-generated variants, as the group uses the same name to create confusion,” Researchers said,
“Tellos assessed with moderate belief that the new Caos ransomware group is either a rebranding of BlackSit (Royal) Ranmware or run by some of its former members.
“This assessment is based on equality in TTP, including encryption command, the theme and structure of ransom and their attacks use lolbin and RMM tools.”
Malware targeting password stores increased 3x as the attackers secretly carried out the perfect history landscape, infiltrated and exploited important systems.
Search for the top 10 Metter Att & CK techniques behind the 93% attacks and how to defend them.
