Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label ICE. Show all posts
ware
ALPHV Blackcat Ransomware BlackSuit Cisco Talos Cyberhackers CyberThreat DHS ICE Ransomware ransomware-as-a-service (RaaS) Royal Ranso ware

BlackSuit Ransomware Capabilities Undermined by Targeted Server Takedown

 


With the help of U.S Immigration and Customs Enforcement's Homeland Security Investigations (HSI), as well as domestic and international law enforcement agencies, U.S Immigration and Customs Enforcement's Homeland Security Investigations has dismantled the backbone of the BlackSuit ransomware group, a decisive blow taken against transnational cybercrime. 

As a result of the coordinated action taken against the gang, servers, domains, and other digital assets vital to the gang's illicit activities were seized. There is widespread evidence that BlackSuit is the successor to the notorious Royal ransomware. It has been implicated in numerous high-impact attacks on critical sectors such as healthcare and education, public safety organisations, energy infrastructure, and government agencies, which have threatened the availability of essential services and public safety. 

Currently, the U.S. Department of Homeland Security (DHS) is examining allegations that the BlackSuit ransomware group—the successor to the Royal gang—was responsible for compromising 450 organisations across the country and extorting $370 million in ransom payments before its federal authorities took action to take the group down. 

An official at Immigration and Customs Enforcement (ICE) confirmed today that Homeland Security Investigations (HSI), in collaboration with U.S. and international law enforcement partners, had successfully dismantled the critical infrastructure supporting the organisation's operations, as part of a statement issued by the agency. 

In a coordinated action initiated by the FBI, servers, domains, and digital assets used to deliver ransomware were seized, along with the proceeds that were laundered from the extortion of victims and the deployment of ransomware on victims. This marks a significant disruption of one of the most damaging cybercriminal enterprises in recent memory. 

A multinational law enforcement effort, coordinated by U.S. and Europol officials and spanning nine countries, has struck a significant blow against the BlackSuit ransomware gang, seizing its darknet leak site and disassembling portions of its digital infrastructure, in accordance with a joint announcement on July 24, 2025. A company with roots dating back to the spring of 2023, BlackSuit stands out from the crowd due to the fact that the firm has been able to avoid the common ransomware-as-a-service model, preferring instead to keep full control of the malicious tools and infrastructure instead of licensing them out to affiliates. 

A joint advisory released in 2024 by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified this group as a continuation and evolution of the Royal ransomware, which itself was associated with Conti, a notorious Russian-speaking syndicate that disbanded in the year 2022-23. There has been a calculated campaign by the BlackSuit ransomware group against organisations that range in scope from education, government, healthcare, information technology, manufacturing, and retail. 

The group used a double extortion model for extorting victims by stealing data before it was encrypted to maximise their leverage. With respect to Windows and Linux environments, the gang exploited VMware ESXi servers, encrypting files over a wide area within accessible drives, hindering recovery efforts, and issuing ransom notes that direct victims to the Tor network for communication. As part of its operations, the group targeted small and medium-sized businesses, as well as large enterprises.

According to the US authorities, they had demanded at least $500 million in ransom payments by August 2024, ranging from $1 million to $60 million for individual demands. Approximately the same time as the leak site of the Cisco Talos network was seized, cybersecurity researchers from Cisco Talos released an analysis of Chaos ransomware - the first to be observed in early 2025. This ransomware is likely to be a successor to BlackSuit, according to Cisco Talos researchers. 

A string of high-profile ransomware attacks, including those perpetrated by BlackSuit and its predecessor, Royal, caused extensive disruptions as well as financial losses. A crippling attack on the city of Dallas led to heightened law enforcement interest in this group. The attack disrupted emergency services, court operations, and municipal systems in the city. Several U.S. schools, colleges, major corporations, and local governments were the victims of this attack, including Japan's publishing giant Kadokawa and the Tampa Bay Zoo. 

During April 2024, the gang claimed responsibility for an attack on Octapharma, a blood plasma collection company that caused the temporary closure of nearly 200 collection centres across the country, according to the American Hospital Association. In an effort led by Europol to target Royal and BlackSuit, Operation Checkmate was a key component of the effort, which Bitdefender called a milestone in the fight against organised cybercrime by marking the group's dismantling as one of the largest achievements to date. 

Even though the takedown has been described as a “critical blow” to the group’s infrastructure, U.S. Secret Service Special Agent in Charge William Mancino said that the group has re-surfaced under the Chaos ransomware name, displaying striking similarities in the encryption methods, ransom note formatting, and attack tools. However, Cisco Talos analysts reported resurfacing with elements of the gang under the Chaos ransomware name after the operation.

In addition, the Department of Justice announced that $2.4 million in cryptocurrency has been confiscated from an address allegedly linked to a Chaos member known as Hors, who has been implicated in ransomware attacks in Texas and other countries. BlackSuit's servers have been effectively disabled by the operation, effectively stopping it from functioning, according to experts confirmed by the operation. 

There were 184 victims of the group worldwide, including several Germans, whose data was published on a dark web leak site to pressure victims into paying ransoms, which the group claimed to have killed. At the time that this report was written, the site was no longer accessible, instead showing a seizure notice stating that the site had been taken down following an international law enforcement investigation coordinated by the organisation. It has been confirmed by German authorities that the effort was carried out with the support of ICE's Homeland Security Investigations unit as well as Europol, although ICE representatives declined to comment on this matter. 

The seizure of the drugs was reported earlier in the week by officials, but no arrests have yet been confirmed as a result. As of late, BlackSuit has emerged as one of the largest ransomware operations in the United States, having struck major U.S. cities like Dallas and targeting organisations from several industries, including manufacturing, communications, and healthcare. 

Cisco Talos cybersecurity researchers have discovered that after blackSuit's infrastructure was dismantled, it was found that the ransomware group likely rebranded itself as Chaos ransomware after dismantling its infrastructure. Several cases of newly emerging ransomware-as-a-service (RaaS) operations have been associated with distinct double-extortion strategies, combining voice-based social engineering to gain access to targets, followed by deploying an encryptor to target both local and remote storage to create maximum impact.

In a report by the Talos security group, the current Chaos ransomware is not related to earlier Chaos variants, and there are rumours that the group adopted the name to create confusion among victims. Several researchers have analysed the operation and assessed it as either a direct rebranding of BlackSuit (formerly Royal ransomware) or as run by former members of the organisation with moderate confidence. 

According to their findings, there are similarities between tactics, techniques, and procedures, from encrypted commands and ransom notes to the use of LOLbins and remote monitoring and management tools. It is believed that BlackSuit's origins can be traced back to the Conti ransomware group, which was fractured in 2022 after its internal communications were leaked. 

After the Russian-speaking syndicate splintered into three factions, the first was Zeon, the second was Black Basta, the third was Quantum, but by 2024, they had adopted the BlackSuit name after rebranding themselves as Royal. Among the most significant developments in the Russian-language ransomware ecosystem is the rise of the INC collective, which has been dubbed the "granddaddy of ransomware" by cybersecurity researcher Boguslavskiy. There is concern that BlackSuit will increase its dependency on INC's infrastructure as a result of INC's growth. 

According to reports, the syndicate has about 40 members and is led by a person who is referred to as "Stern", who has forged extensive alliances, creating a decentralised network with operational ties to groups such as Akira, ALPHV, REvil, and Hive, among others. In terms of Russian-speaking ransomware collectives, LockBit Inc. is presently ranked as the second biggest, only being surpassed by DragonForce. 

There is no doubt that the takedown of BlackSuit marks a decisive moment in the fight against ransomware syndicates as it represents the disruption of a prolific and financially destructive cybercrime operation. Although analysts warn that the seizure of infrastructure, cryptocurrency, and dark web platforms might have been a tangible setback for these groups, they have historically shown they can reorganise, rebrand, and adapt their tactics when they are under pressure from law enforcement. 

It is evident that Chaos ransomware, which employs sophisticated extortion techniques as well as targeted exploitation of both local and remote systems, has demonstrated the persistence of this threat, as well as the adaptability of its operators. Experts point out that the operation's success is a reflection of unprecedented international coordination, which combines investigative expertise, intelligence sharing, and cyber forensics across multiple jurisdictions to achieve unprecedented success. 

In today's world, a collaborative model has become increasingly crucial for dismantling decentralised ransomware networks that span borders, rely on anonymising technologies to avoid detection, and use decentralised methods of evading detection. Cybersecurity researchers note that the BlackSuit case highlights how deeply connected Russian-speaking ransomware groups are, with many of them sharing tools, infrastructure, and operational methods, making them more resilient and also making them easier to trace when global enforcement efforts are aligned. 

There is no doubt that the BlackSuit takedown serves as both a victory and a warning for governments, industries, and cybersecurity professionals alike—demonstrating how effective sustained, multinational countermeasures are, but also demonstrating the importance of maintaining vigilance against the rapid reemergence of threat actors in new identities that can happen any time. 

Despite law enforcement agencies' attempts to track the remnants of BlackSuit through the lens of Chaos ransomware and beyond, the case serves as a reminder that, when it comes to cybercrime, it is quite common for one operation to end, only for another to begin some weeks later.
Read more »
USA
Data collection ICE passenger information Privacy USA

U.S. Homeland Security Reportedly Buys Airline Passenger Data from Private Brokers

 



In the digital world where personal privacy is increasingly at risk, it has now come to light that the U.S. government has been quietly purchasing airline passenger information without public knowledge.

A recent report by Wired revealed that the U.S. Customs and Border Protection (CBP), which operates under the Department of Homeland Security (DHS), has been buying large amounts of flight data from the Airlines Reporting Corporation (ARC). This organization, which handles airline ticketing systems and works closely with travel agencies, reportedly provided CBP with sensitive passenger details such as names, full travel routes, and payment information.

ARC plays a critical role in managing airfare transactions worldwide, with about 240 airlines using its services. These include some of the biggest names in air travel, both in the U.S. and internationally.

Documents reviewed by Wired suggest that this agreement between CBP and ARC began in June 2024 and is still active. The data collection reportedly includes more than a billion flight records, covering trips already taken as well as future travel plans. Importantly, this data is not limited to U.S. citizens but includes travelers from around the globe.

What has raised serious concerns is that this information is being shared in bulk with U.S. government agencies, who can then use it to track individuals’ travel patterns and payment methods. According to Wired, the contract even required that the government agencies keep the source of the data hidden.

It’s important to note that the issue of airline passenger data being shared with the government was first highlighted in June 2024 by Frommer's, which referenced a related deal involving Immigration and Customs Enforcement (ICE). This earlier case was investigated by The Lever.

According to the privacy assessment reports reviewed, most of the data being purchased by CBP relates to tickets booked through third-party platforms like Expedia or other travel websites. There is no public confirmation yet on whether tickets bought directly from airline websites are also being shared through other means.

The U.S. government has reportedly justified this data collection as part of efforts to assist law enforcement in identifying individuals of interest based on their domestic air travel records.

When contacted by news organizations, including USA Today, both ARC and CBP did not provide any official responses regarding these reports.

The revelations have sparked public debate around digital privacy and the growing practice of companies selling consumer data to government bodies. The full scale of these practices, and whether more such agreements exist, remains unclear at this time.

Read more »
Online Safety
Cyber Security Cyber websites CyberCrime CyberThreat ICE Online Safety

ICE Expands Online Surveillance With Tool Tracking 200+ Websites

 


To ensure the safety of citizens throughout the world, and to enforce immigration laws, the Department of Homeland Security and Immigration and Customs Enforcement (ICE) have always relied heavily on social media monitoring as an essential component of their respective operations. As an integral part of the agency's “enhanced screening” protocols, which are applied to foreign nationals upon their arrival in the United States, such monitoring has been an integral part of the agency's programs for several years. 

In addition to enforcing the protocols at borders and international airports, even visitors who are visiting the country for a limited period are subject to them. As part of its extensive surveillance efforts, ICE has utilized a range of technological tools. These techniques include purchasing location information from third-party data brokers, accessing utility bill databases, and utilizing other information sources to track undocumented immigrants. 

In addition to gathering vast amounts of personal information, these methods enable the agency to conduct enforcement activities that are aimed at improving the quality of life of Americans. Recent developments have shown that ICE has adopted a new, advanced surveillance tool that is capable of continuously gathering, organizing, and analyzing information from various online platforms. As reported by Joseph Cox for 404 Media, this tool combines data from several social media services and websites to expand the capability of ICE in terms of digital surveillance.

In the course of implementing this technology, Immigration and Customs Enforcement (ICE) is taking steps to improve its monitoring and data-gathering strategies in response to the threat that the agency is facing. The agency is preparing to expand its efforts to monitor and analyze online discourse as part of its digital surveillance efforts. These initiatives will be focused on individuals who are expressing negative opinions about the agency or making threats against its personnel. 

A recent request for information issued by ICE in November called for private sector companies that can improve the organization's monitoring capabilities to aid it in countering an increasing number of external threats, which are being spread through social media and other online platforms. As part of its 15-page statement outlining its objectives, the agency detailed the requirements for a specialized contractor to conduct extensive online monitoring as part of their monitoring efforts. 

In order to identify potential risks, it would be the responsibility of the selected entity to scan social media networks, publicly accessible online databases, the deep web, and the dark web. As part of ICE's efforts to pinpoint and assess potential threats, it has specified the need for advanced analytical tools such as geolocation tracking, psychological profiling, and facial recognition to assist in this process. These increased monitoring efforts have resulted in increased scrutiny of individuals who have consistently made negative statements about ICE or who have mentioned specific immigration enforcement personnel on social media. 

Through this initiative, the agency is showing its commitment to strengthening its security measures through enhanced digital surveillance and intelligence collection techniques. It was in November, just after Trump's electoral victory, when Immigration and Customs Enforcement (ICE) announced multiple solicitations on federal procurement websites, seeking contractors for enhancing, upgrading, and expanding its technological capabilities so that it can better track, monitor, and monitor noncitizens. 

Trump's administration has been supporting the ICE agency despite its history of violating human rights, mistreating its detainees, and committing misconduct within its detention facilities and deportation operations. In his campaign, Trump promised that he would implement large-scale deportations, which he promptly carried out during his presidency. His administration took action within a couple of days after taking office by authorizing nationwide immigration enforcement operations, robbing ICE of restrictions on its activities in sensitive locations, including schools, hospitals, and places of worship. This policy shift enabled the department to take effective action against immigration violations everywhere. 

There was also the passage of the Laken Riley Act during the same time these measures were taking place, which gave ICE the authority to deport individuals convicted of minor offences, such as shoplifting, regardless of whether conviction had been obtained or not. As a result of bipartisan support, ten senators and 48 members of the House of Representatives voted in favour of this legislation, which has been criticized for undermining due process rights. As ICE is poised to expand its surveillance apparatus, policy changes are not the only factor driving it. 

Additionally, private contractors have financial interests that are influenced by these entities as they strive to maximize profits. These entities are motivated by profit and wish to broaden enforcement mechanisms, which in turn increases the number of people being monitored and detained. A growing anti-immigrant sentiment has sparked concern among advocacy organizations and civil society organizations about the protection of immigrant communities in the United States. 

A growing number of activists and civil society groups are now focusing on exposing and challenging the growing surveillance infrastructure, a system that has been built over the past decade, and which is being reinforced by an administration that has used incendiary rhetoric against immigrants and activists, calling them threats to the country. ICE’s Expanding Surveillance Network and Private Sector Involvement The growth of electronic monitoring within immigration enforcement has made BI Inc., an organization that has a $2.2 billion contract with Immigration and Customs Enforcement (ICE) that is set to expire in July, one of the major beneficiaries of the expansion of electronic monitoring. 

The BI Inc., as the only provider of electronic monitoring devices for ICE, has a crucial role to play in implementing the agency’s surveillance programs as its exclusive provider of electronic monitoring devices. This company is owned and operated by a subsidiary of the GEO Group, the world's largest private prison corporation. They operate multiple immigration detention facilities that are contracted by the Department of Immigration and the Department of Homeland Security. Geo Group's involvement in political financing has also been heavily emphasized, with $3.4 million contributed to political campaigns in 2024 by Geo Group, of which $3.4 million went to the Make America Great Again super PAC. 

Last year, the company also spent $1.03 million on lobbying activities, directing a substantial amount ($340,000) in favour of policies that relate to immigration enforcement and alternatives to detention, a sector in which BI Inc. has long held a dominant position. Legal Challenges and Privacy Concerns Surrounding ISAP There have been several advocacy groups that are urging more transparency regarding ICE's Intensive Supervision Appearance Program (ISAP), which uses electronic surveillance rather than detention facilities to place immigrants under electronic surveillance. These groups include Just Futures Law, Mijente, and Community Justice Exchange. 

There have been some organizations that have sued ICE to obtain information regarding the type of data collected and the way it is used, but after examining the agency's response to these questions, they concluded in 2023 that the agency had not provided adequate assurances regarding the protection of data and privacy in ISAP. ICE’s Use of Facial Recognition Technology ICE has been using facial recognition software since 2020. 

They contracted Clearview AI, which is famous for scraping images from social networks and the internet without the consent of the individuals involved. By matching this data to names and cross-referencing it with law enforcement databases, the police can identify individuals suspected of crime. As a result of Clearview AI's practices being questioned in multiple jurisdictions, the EU has imposed a ban on its operations in the EU due to violations of the General Data Protection Regulations (GDPR), which govern data collection and use. 

Numerous lawsuits have been filed against the company claiming that the company has engaged in unlawful surveillance practices in the United States. A $2.3 million contract with Clearview AI ended in September 2023, and it has not yet been decided whether or not the agency has renewed the contract or will continue to utilize the software in another manner. Moreover, Clearview AI has not only been in legal battles, but has also been actively lobbying against legislation that would regulate both its operation and the operation of data brokers as well. 

Growing Concerns Over ICE’s Surveillance Expansion With the increasing use of electronic monitoring and facial recognition technology by ICE, concerns remain regarding privacy violations, data security, and ethical implications that are associated with these technologies as they continue to expand their surveillance infrastructure. It is important to note that the agency relies on private companies with vested financial interests, which further emphasizes the complexity of immigration enforcement and civil liberties in a digital age.
Read more »
Subscribe to: Posts (Atom)