BlackSuit

2022-05-01

Conti ransomware syndicate publicly dissolves following a major internal data leak; members splinter into successor groups including Quantum and Zeon.

2022-09-01

Royal ransomware operation begins activity, drawing membership from former Conti operators; targets U.S. critical infrastructure sectors.

2023-05-01

BlackSuit ransomware first observed by security researchers; payload shares significant code overlap with Royal ransomware.

2023-11-15

CISA and FBI issue joint advisory warning that Royal ransomware actors are testing a potential rebrand to BlackSuit.

2024-04-17

BlackSuit attacks Octapharma Plasma, forcing temporary closure of more than 160 blood plasma donation centers across the United States.

2024-06-18

BlackSuit launches ransomware attack against CDK Global, disrupting dealer management systems at approximately 15,000 North American automotive dealerships.

2024-06-21

On-chain analysis identifies approximately 387 Bitcoin (~$25 million) transferred to a wallet assessed to be controlled by BlackSuit, consistent with a CDK Global ransom payment.

2024-08-07

CISA and FBI release updated joint advisory formally confirming Royal ransomware actors have rebranded as BlackSuit; aggregate extortion demands reported to exceed $500 million.

2025-07-24

Operation Checkmate: U.S. DOJ, ICE HSI, FBI, Europol, and international partners seize four BlackSuit servers, nine domains, and $1,091,453 in cryptocurrency; BlackSuit's darknet leak site displays seizure banner.

2025-08-12

DOJ publicly announces Operation Checkmate results; former BlackSuit members assessed to have migrated to INC ransomware and Chaos ransomware successor groups.