Information revealed after the HSE attack has resulted in the disbanding of a ransomware group.
The BlackSuit Ransomware Group, a successor to the Royal Ransomware Group and Conti Ransomware Group, has been dismantled following a coordinated international law enforcement operation. The operation, led by the U.S. Department of Homeland Security’s Homeland Security Investigations (HSI), took place on July 24, 2025, and resulted in the seizure of critical infrastructure, including servers, domains, and approximately $1 million in cryptocurrency assets.
The BlackSuit Ransomware Group has been active since at least 2022, compromising over 450 known victims in sectors including healthcare, education, public safety, energy, and government across the United States. The group has extorted more than €317.2 million in ransom payments (present-day value of cryptocurrency) from its victims.
The operation notably targeted an international group responsible for "serious ransomware attacks" globally. Other agencies involved in the operation include the US Department of Homeland Security, the US Secret Service, Europol, Dutch police, German police, the UK National Crime Agency, and the Ukrainian Cyber Police, among others.
The groups employed double-extortion tactics, encrypting victims' data and threatening to leak sensitive information to coerce payments. The ransomware group's leak site displayed a seizure notice starting July 24, 2025, evidencing the takedown, although public confirmation came about two weeks later in early August.
The operation also targeted a victim negotiation site and a dark web leaks page, where the data of victims who refuse to pay a ransom is published. The incident was the largest attack on a health system in history.
While there is no explicit public record from available data of Garda National Cyber Crime Bureau involvement in this specific takedown, the case will continue to be pursued by the US Attorney’s Office for the Eastern District of Virginia and An Garda Síochána, with a focus on identifying, targeting, and disrupting organised crime groups involved in cybercrime.
The dismantling of the BlackSuit Ransomware Group came after the 2021 HSE cyberattack, which led to the shutdown of thousands of systems across Ireland and cost almost €55 million to repair. The attack was traced back to the Conti ransomware group, a predecessor of the BlackSuit Ransomware Group. Specialist gardaí gathered large amounts of intelligence on the Conti gang’s operations and tactics in the months following the attack.
The operation is a significant victory in the ongoing fight against cybercrime and serves as a reminder of the importance of international cooperation in combating these threats. An Garda Síochána will continue to work with international partners to keep people safe both on and offline.
- The international law enforcement operation, which resulted in the dismantling of the BlackSuit Ransomware Group, highlighted the critical role of technology in modern general-news and crime-and-justice scenarios, as the group had employed sophisticated cybersecurity tactics to extort millions from victims worldwide.
- The cooperative effort, comprising US authorities, Europol, Dutch police, German police, the UK National Crime Agency, Ukrainian Cyber Police, and others, brought down the BlackSuit Ransomware Group, a successor to the notorious Conti Ransomware Group, demonstrating the importance of shared cybersecurity efforts in the face of growing technology-driven cybercrime.
