Executive Summary and Group Overview
Royal, BlackSuit, and the 2025 Chaos RaaS represent a single, continuous threat lineage originating from within the Conti organization. First emerging as Royal in September 2022 following Conti's dissolution, the group operated as a private, closed ransomware operation targeting US critical infrastructure, healthcare, municipalities, and manufacturing. It rebranded as BlackSuit in May 2023, retaining core operators, tooling, and the signature "security test" extortion narrative. Following Operation Checkmate (July 2025), in which international law enforcement seized the group's infrastructure and approximately $1.09 million in laundered Bitcoin, Cisco Talos assessed with moderate confidence that BlackSuit rebranded again as the Chaos RaaS, which emerged in February 2025 and remains active.
The group collectively demanded more than $500 million in ransom across the Royal and BlackSuit periods (FBI/CISA advisory). No arrests or indictments have been made public. The Chaos rebrand marks a structural shift from a private operation to a full Ransomware-as-a-Service model with open affiliate recruitment on the RAMP forum.
| Attribute | Detail |
|---|---|
| Tracking aliases (CrowdStrike) | ROYAL SPIDER (covers Royal, BlackSuit, and Chaos/BlackChaos). Parent Conti entity: Wizard Spider (not a group-specific designation for this lineage). |
| Tracking aliases (Secureworks) | GOLD SOUVENIR (covers Royal and BlackSuit). Parent Conti entity: Gold Ulrick (not group-specific). |
| Tracking aliases (Unit 42) | Ignoble Scorpius (BlackSuit-specific; Royal tracked separately under "Royal ransomware" threat assessment). |
| Tracking aliases (CISA/FBI) | "BlackSuit (Royal)" as unified lineage designation in joint advisory (August 2024 update). |
| Tracking aliases (Cisco Talos) | "Chaos ransomware RaaS group" (Chaos-specific; distinct from earlier Chaos builder families). |
| Tracking aliases (HHS HC3) | Separate analyst notes: "Royal ransomware" and "BlackSuit ransomware" published individually. |
| Operational model | Royal/BlackSuit: Private closed operation, no open RaaS. Chaos: Full RaaS with affiliate recruitment on RAMP forum. |
| Extortion mechanic | Royal/BlackSuit: Double extortion (encryption + data publication threat). Chaos: Triple extortion (encryption + data theft + DDoS threat). |
| Assessed jurisdiction | Russia / CIS (CREDIBLE; no confirmed formal state nexus). |
| LE disruption status | Operation Checkmate (July 24, 2025): 4 servers, 9 domains seized; $1,091,453 BTC seized. No arrests or indictments. |
| Decryptor availability | None publicly available for Royal, BlackSuit, or the 2025 Chaos RaaS as of May 2026. Note: older Chaos builder-family decryptors do not apply (different codebase). |
Lineage and Organizational Heritage
The Royal/BlackSuit/Chaos cluster is assessed as one of the primary successor operations to the Conti organization, specifically linked to what Bitdefender and TrustedInternet characterize as Conti Team One - a specialized sub-unit within the Conti hierarchy. The lineage spans four named iterations across approximately four years of operation.
| Name | Period | Victims | Model | Status |
|---|---|---|---|---|
| Royal | Sep 2022 – Jul 2023 | ~123 | Private closed operation | Superseded by BlackSuit |
| BlackSuit | May 2023 – Jul 2025 | 185+ | Private closed operation | Disrupted; assessed rebranded as Chaos |
| Chaos (2025 RaaS) | Feb 2025 – present | Ongoing | Full RaaS, open affiliates (RAMP) | Active as of mid-2026 |
| Vendor | Parent Conti Designation | Royal/BlackSuit/Chaos Designation | Coverage Notes |
|---|---|---|---|
| CrowdStrike | Wizard Spider | ROYAL SPIDER | Covers Royal, BlackSuit, and BlackChaos/Chaos as a single adversary |
| Secureworks CTU | Gold Ulrick | GOLD SOUVENIR | Covers Royal and BlackSuit; high-confidence rebrand assessment published |
| Palo Alto Unit 42 | (Not separately designated) | Ignoble Scorpius | BlackSuit-specific; Royal tracked under separate "Royal ransomware" threat assessment |
| CISA / FBI | (Not applicable) | "BlackSuit (Royal)" | Unified designation in August 2024 joint advisory |
| Cisco Talos | (Not applicable) | "Chaos ransomware RaaS group" | Chaos-specific; explicitly separates from earlier Chaos builder families |
| HHS HC3 | (Not applicable) | Separate notes for "Royal ransomware" and "BlackSuit ransomware" | Healthcare sector focus; published individually |
Operational Model
Royal operated as a closed, private group rather than a public RaaS. Affiliate access, if any, was by invitation only with no open forum recruitment. The group maintained deliberate operational opacity, explicitly avoiding public advertising after observing how Conti's public profile contributed to its downfall through the 2022 chat leaks.
- Extortion model: Double extortion (encryption + data publication threat). Leak site operated on Tor. Data published when negotiations failed.
- Ransom demands: Low to mid-millions USD for large organizations; significant flexibility documented in negotiations with 50-80% reductions observed.
- Negotiation framing: Presented intrusion as a "security test" and offered a "security report" as part of the payment package. Tor-based contact portals only.
- Communication: Ransom notes delivered personally; no public social media or forum presence. Victims instructed to use Tor-based chat or encrypted email.
BlackSuit maintained Royal's private, non-public operational model while expanding victim volume significantly (123 to 185+ across the transition). Unit 42 and HHS HC3 both confirm BlackSuit operated without open affiliates. Bitdefender notes the group developed "experienced in-house teams" to assess victim revenue as part of structured target selection.
- Demands: Hundreds of thousands to multiple millions USD. Some individual payments exceeded $2 million (Bitdefender). Total demands across both eras exceeded $500 million (FBI/CISA advisory).
- Extortion escalation: Beyond data publication, BlackSuit threatened to contact regulators, media, customers, and victim employees to amplify pressure. LinkedIn pages for victim contacts were posted on the DLS.
- Post-payment breach: In at least one late 2024 case, BlackSuit leaked victim data after receiving nearly $3 million in payment, a significant violation of the implicit contract that drives ransomware negotiations.
- Ransom note (confirmed text excerpt): "Good whatever time of day it is! Your safety service did a really poor job of protecting your files against our professionals. Extortioner named BlackSuit has attacked your system..."
Chaos represents a structural shift from the group's prior private model to a public Ransomware-as-a-Service offering advertised on the RAMP forum. This transition mirrors the pattern observed across other post-disruption Conti-lineage operations.
- Triple extortion: Encryption plus data theft plus active DDoS threat. Chaos explicitly introduced a "reward vs. punishment" framing in ransom notes: additional benefits for rapid payment, escalating consequences (DDoS, competitor/client notification) for non-payment.
- Affiliate exclusions (claimed, not verified): Chaos forum advertisements claim no operations in BRICS/CIS countries and exclusion of hospitals and government. Victim list including the Salvation Army (a charity) undercuts adherence to an ethics code. Treat as policy claims, not confirmed binary kill-switch behavior.
- Revenue split: Not publicly confirmed. Standard RaaS model assumed; specific percentages not disclosed in open sources (Talos).
Technical Capabilities
| Variant | Era | Extension | Platforms | Key Notes |
|---|---|---|---|---|
| Royal | Sep 2022–Jul 2023 | .royal | Windows (primary) | AES + RSA-protected keys; partial encryption via -ep flag; multi-threaded; ".blacksuit" extension observed in pre-rebrand test binaries |
| BlackSuit (Windows) | May 2023–Jul 2025 | .blacksuit | Windows | Inherits Royal partial-encryption logic; vssadmin.exe for VSS deletion; readme.BlackSuit.txt ransom note; appends extension after encryption |
| BlackSuit (ESXi/Linux) | 2023–2025 | .blacksuit | VMware ESXi, Linux | Targets virtual infrastructure; ESXi-specific binary; explicit hypervisor attack capability |
| Chaos-C++ | Feb 2025+ | .chaos | Windows, ESXi, Linux, NAS | Partial multi-threaded encryption; clipboard hijacker; destructive behaviors; "lkey", "encrypt_step", "kill_vms" config parameters |
| Mad Cat | 2025 | Varies | Windows | Chaos variant; anti-sandbox behavior; Tinexta analysis published March 2025 |
| Vector | Group(s) | Notes |
|---|---|---|
| Phishing / malicious PDFs | Royal, BlackSuit | Malicious PDF attachments in phishing emails; also malvertising campaigns delivering initial payloads (CISA advisory) |
| Malicious installer (fake Zoom) | BlackSuit | Fake Zoom installers delivering RAT and subsequent BlackSuit payload (DFIR Report, March 2025) |
| RDP exploitation | Royal, BlackSuit | Stolen or brute-forced RDP credentials used for initial entry |
| Public-facing application weaknesses | Royal, BlackSuit | Exploitation of vulnerable edge services; specific CVEs vary by incident |
| VPN credential abuse | Royal, BlackSuit | Phishing-delivered credentials or purchased access; consistent with Conti-lineage preference |
| Vishing (voice phishing) | Chaos | Spam email prompts victim to call a number; actor impersonates IT staff; victim guided to enable Microsoft Quick Assist or AnyDesk; actor gains remote control and deploys tools |
| Phase | Tools / Methods | Group(s) |
|---|---|---|
| Discovery / Recon | SharpShares, SoftPerfect NetWorx, SoftPerfect NetScan, network enumeration via net.exe | Royal, BlackSuit |
| Credential Access | LSASS harvesting; Cobalt Strike credential modules; Gozi (infostealer) | BlackSuit |
| Persistence | SystemBC (registry modification, scheduled tasks); RMM tools installed as services | BlackSuit |
| Lateral Movement | SMB with valid admin accounts, PsExec, domain controller access; AnyDesk/ScreenConnect post-exploitation | Royal, BlackSuit, Chaos |
| Remote Access / C2 | AnyDesk, ScreenConnect, TeamViewer, Cobalt Strike beacons; Chaos actors reset domain user passwords via net.exe, deleted PowerShell logs, and removed MFA/security apps | All |
| Exfiltration | RClone, Brute Ratel, Cobalt Strike; staging to remote servers | BlackSuit, Chaos |
| Defense Evasion | PowerShell log deletion; MFA application removal; .bat file privilege escalation scripts; VSS deletion via vssadmin.exe | BlackSuit, Chaos |
Royal: Hybrid encryption combining strong symmetric encryption (AES) for file content with asymmetric RSA protection for keys. Partial encryption is configurable via the "-ep" flag (encryption percentage per file), enabling fast processing of large files. Selective targeting by file type and directory, with option to skip specified paths. Multi-threaded execution.
BlackSuit: Inherits Royal's partial-encryption architecture with renamed parameters. ".blacksuit" extension appended to encrypted files. Volume Shadow Copies deleted via vssadmin.exe. ESXi Linux variant targets virtual disk files on VMware hypervisors. No publicly available decryptor.
Chaos: Uses a 32-byte "lkey" symmetric key; "encrypt_step" controls the size of encrypted segments within each file (partial encryption for speed); "kill_vms" parameter stops running virtual machines before encrypting their disk files, analogous to BlackSuit's "stopvm." The Chaos-C++ variant adds a clipboard hijacker and destructive payload options beyond standard ransomware behavior. Cross-platform encryptors for Windows, ESXi, Linux, and NAS are offered as a core RaaS selling point.
Royal and BlackSuit are reported to implement locale or keyboard-layout checks consistent with Conti-lineage CIS-avoidance conventions, exiting when Russian or related CIS keyboard layouts are detected. Binary-level confirmation is limited in open public technical write-ups; the behavior is inferred primarily from operational absence of CIS victims.
Chaos forum advertisements explicitly claim no operations in BRICS/CIS countries, but binary-level enforcement via locale checks has not been consistently confirmed in open publications. Treat as a stated policy claim rather than a proven technical kill-switch.
Financial Infrastructure
Royal, BlackSuit, and Chaos all demand payment in Bitcoin (BTC) as the primary instrument. Victims access payment portals via Tor-based links embedded in ransom notes. Royal specifically required victims to access a darknet website for payment processing (per DOJ charging documents). Some flexibility toward privacy coins (Monero) has been reported in individual negotiations, though documented cases focus on BTC addresses.
Each victim is assigned a unique BTC deposit address, enabling the operators to track individual payments and attribute them to specific victims during the decryption-key release process. Per-victim address generation is standard Conti-lineage practice and complicates attribution-by-wallet without comprehensive blockchain forensic tooling.
No specific OFAC designation has been issued for Royal, BlackSuit, or Chaos wallets or operators as of May 2026. However, US agencies treat payments to any Conti-lineage actor as existing within a sanctions-risk context given OFAC's prior designations of Conti-linked wallet infrastructure. Organizations that pay ransoms to Royal/BlackSuit/Chaos affiliates are advised to seek OFAC compliance guidance prior to payment.
Blockchain forensics firm assessments: TRM Labs and Chainalysis have published broadly on Conti-lineage financial flows, but group-specific detailed wallet cluster maps for Royal/BlackSuit/Chaos are not widely available in open-source publications. The Operation Checkmate seizure represents the first confirmed public on-chain trace and asset recovery for this lineage.
Victim Profile and Targeting
| Sector | Period | Confidence | Notes |
|---|---|---|---|
| Manufacturing | BlackSuit (primary) | CONFIRMED | Largest single BlackSuit sector per Bitdefender. High revenue and operational sensitivity drive targeting. |
| Healthcare / Public Health | Royal, BlackSuit | CONFIRMED | HHS HC3 issued dedicated analyst notes for both Royal and BlackSuit targeting healthcare organizations. Critical sector per CISA advisory. |
| Education / Research | BlackSuit (primary) | CONFIRMED | Second-largest BlackSuit sector per Bitdefender. |
| Construction | BlackSuit | CONFIRMED | Significant victim count; Unit 42 notes construction as one of top two industries for Ignoble Scorpius (alongside manufacturing). |
| Government / Municipalities | Royal (primary) | CONFIRMED | City of Dallas (2023) is most prominent named victim. Critical government facilities sector explicitly cited in CISA advisory. |
| Retail / Consumer | BlackSuit | CREDIBLE | CDK Global (software vendor to automotive dealers) breach affected 950,000 individuals. |
| Charity / NGO | Chaos | CREDIBLE | Salvation Army targeted by Chaos RaaS, contradicting stated exclusion of humanitarian organizations. |
| Tax / Financial Services | Chaos | CREDIBLE | Optima Tax Relief (69 GB data stolen). |
The group is heavily US-focused across all three iterations. Bitdefender documented that the majority of BlackSuit victims were US-based, with secondary clusters in Great Britain, Canada, Belgium, and Spain. Chaos victims have been identified in the US, UK, New Zealand, and India. No CIS-region victims have been documented in open sources for any named iteration.
| Victim | Group | Sector | Notes |
|---|---|---|---|
| City of Dallas, Texas | Royal | Government / Municipality | 2023; major US municipal disruption; city systems and 911 dispatch affected; extensively covered in vendor reporting |
| CDK Global (software vendor) | BlackSuit | Technology / Automotive | Data of 950,000 individuals stolen; major downstream impact on US automotive dealerships |
| Optima Tax Relief | Chaos | Financial Services | 69 GB data allegedly exfiltrated; listed on Chaos DLS (Talos reporting) |
| Salvation Army | Chaos | Charity / NGO | Targeted despite Chaos' stated exclusion of humanitarian organizations; undermines claimed ethics code |
| [Named victim, $3M ransom] | BlackSuit | Unknown | Bitdefender: victim paid nearly $3M ransom; data leaked anyway. Demonstrates group's willingness to breach negotiated agreements. |
All three iterations prioritize big-game hunting: medium-to-large enterprises and public-sector organizations with high operational disruption sensitivity, significant cyber insurance coverage, and revenue profiles that justify multi-million dollar demands. BlackSuit maintained a structured process to assess victim revenue before setting demands, per Bitdefender analysis.
The Chaos RaaS model introduces affiliate heterogeneity that may produce a wider victim-size distribution over time, consistent with how other Conti-lineage groups (Akira, BlackBasta) expanded victim breadth after shifting to a RaaS structure.
Law Enforcement and Regulatory Response
| Attribute | Detail |
|---|---|
| Operation name | Operation Checkmate |
| Execution date | July 24, 2025 (infrastructure seized); August 11, 2025 (DOJ formal announcement) |
| Assets seized | 4 servers; 9 domains (data leak site and negotiation portals); $1,091,453 in BTC |
| Lead US agency | DHS Homeland Security Investigations (HSI), Washington D.C. field office |
| Additional US agencies | US Secret Service (Criminal Investigative Division); IRS Criminal Investigation (Washington D.C. Cyber Crimes Unit); FBI |
| International partners | UK National Crime Agency; UK Northwest Regional Organized Crime Unit; Germany Landeskriminalamt Niedersachsen; Ireland An Garda Siochana – Garda National Cyber Crime Bureau; France Office Anti-Cybercriminalite; Canada Royal Canadian Mounted Police + Delta Police Department; Ukraine National Police Cyber Police Department; Lithuania Criminal Police Bureau |
| Private sector assist | Bitdefender (Draco Team; provided expert technical assistance) |
| Legal team (US) | AUSA Laura D. Withers (EDVA); Trial Attorney Jacques Singer-Emery (NSD National Security Cyber Section); AUSA Rick Blaylock Jr. (DC) |
| Arrests / indictments | None publicly announced as of May 2026 |
| Total demands cited | $500M+ across Royal and BlackSuit eras (per FBI/CISA advisory cited in DOJ press release) |
The DOJ unsealing documents provide a confirmed on-chain chain of custody for one seized ransom: On April 4, 2023, a victim paid 49.3120227 BTC ($1,445,454.86 at the time of transaction) to Royal. A $1,091,453 portion was repeatedly cycled through a virtual currency exchange in a layering pattern. The exchange froze the funds on January 9, 2024, and a US court order formally seized them on June 21, 2024 (evidence collected by EDVA, seizure warrant unsealed by DC). This is the first publicly confirmed on-chain asset recovery directly linked to this lineage.
| Document / Action | Date | Issuer | Significance |
|---|---|---|---|
| CISA/FBI Joint Advisory: #StopRansomware — Royal Ransomware | Mar 2023 | CISA, FBI | Initial public advisory on Royal TTPs and IOCs; healthcare and critical infrastructure focus |
| HHS HC3 Analyst Note: Royal ransomware | 2023 | HHS Health Sector Cybersecurity Coordination Center | Healthcare-sector-specific warning on Royal targeting |
| HHS HC3 Analyst Note: BlackSuit ransomware | 2023-2024 | HHS HC3 | Separate healthcare note flagging BlackSuit as possible Royal successor |
| CISA/FBI Updated Joint Advisory: BlackSuit (Royal) | Aug 7, 2024 | CISA, FBI | Formal retitling to "BlackSuit (Royal)"; updated TTPs, IOCs, and $500M demand figure; unified lineage designation |
| DOJ/HSI Operation Checkmate announcement | Aug 11, 2025 | DOJ, HSI, multiple agencies | Infrastructure seizure; $1.09M BTC seizure; formal confirmation of BlackSuit/Royal succession |
Attribution and State Nexus
Royal, BlackSuit, and Chaos are assessed as Russia-based or CIS-based criminal actors on the basis of multiple converging indicators: operational avoidance of CIS-region victims across all iterations; no confirmed attacks on Russian or CIS targets; Russian-language forum advertising (RAMP, Chaos); operator communications in Russian where observed; and the group's Conti lineage, which was established by US government indictments as a Russia-based criminal enterprise.
The absence of prosecutions of named operators within Russia is consistent with de facto safe harbor for criminal groups that avoid domestic targeting. This pattern applies broadly to Conti-lineage successor operations. No confirmed evidence of formal state direction, intelligence-sharing arrangements, or explicit tasking by FSB, SVR, or GRU has been publicly documented for any named iteration of this lineage.
HSI and DOJ press releases describe the group as responsible for attacks on "US critical infrastructure" and public safety, using language that frames the group as a national security concern without formally attributing state nexus.
Bitdefender and TrustedInternet describe the personnel nucleus of Royal as deriving from "Conti Team One," characterized as a specialized sub-unit within the Conti organizational structure. This framing distinguishes the Royal/BlackSuit lineage from other post-Conti splinters (Akira, BlackBasta, Karakurt) and implies a more centralized leadership tier with direct Conti operational heritage.
No named individuals have been publicly attributed to Royal, BlackSuit, or Chaos operations as of May 2026. No sanctions designations have been issued against specific operators in this cluster.
Rapid7 (2026) documented at least one incident in which a state-sponsored threat actor used Chaos RaaS branding as a false flag for a targeted state-sponsored operation. This does not imply that Chaos itself is a state-directed group. The stronger interpretation is that Chaos is an opportunistic criminal RaaS whose branding and tooling were co-opted by a separate state actor in a specific operation to obscure attribution.
This finding adds attribution complexity for defenders and intelligence analysts: not all Chaos-attributed incidents should be assessed as criminal ransomware activity. Some may represent state-directed operations using the Chaos cover to complicate attribution and frustrate law enforcement response.
No named individuals have been publicly attributed to Royal, BlackSuit, or Chaos operations in any indictment, sanctions designation, or law enforcement press release as of May 2026. This absence of individual identification contrasts with disruptions of LockBit and ALPHV/BlackCat, where operator identities were published, and represents a significant gap in the accountability record for this lineage.
Trajectory Assessment
This lineage has executed two confirmed, planned rebrands in three years: Royal to BlackSuit (2023) and BlackSuit to Chaos (2025). Each transition followed a similar template: gradual operational drawdown under the prior name, parallel emergence of the successor brand 2-4 months before the prior name went dark, retention of core TTPs and note structure, and avoidance of public attribution of the transition until independent researchers connected the dots. The pattern is deliberate and competent.
The Chaos iteration represents a meaningful structural shift from the tight, closed operational model of Royal/BlackSuit to a public RaaS with open affiliate recruitment. This expansion increases attack surface and victim volume but also introduces affiliate management risk and potential OPSEC degradation. Prior Conti-lineage groups (Akira) have demonstrated that the RaaS model enables rapid victim volume growth; the Chaos iteration may follow the same trajectory.
The triple-extortion model (encryption + data theft + DDoS) adopted by Chaos represents a tactical escalation over Royal/BlackSuit's double-extortion approach, likely designed to close payment rates on victims with strong backup posture by adding the DDoS threat as a separate, backup-agnostic pressure vector.
| Group | Relationship | Confidence | Vendor Coverage |
|---|---|---|---|
| Conti | Parent organization; Conti Team One as personnel nucleus for Royal emergence | CREDIBLE | Bitdefender, TrustedInternet (Team One framing); Unit 42, Secureworks, HHS HC3 (general Conti lineage) |
| BlackSuit | Direct rebrand of Royal (GOLD SOUVENIR, Ignoble Scorpius, ROYAL SPIDER) | CONFIRMED | Secureworks, Unit 42, HHS HC3, CISA/FBI, DOJ, HSI, Bitdefender |
| Chaos (2025 RaaS) | Probable rebrand of BlackSuit or formed by former BlackSuit members | CREDIBLE (moderate) | Cisco Talos (primary); SC World, Infosecurity Magazine (repeat Talos findings). Not yet independently assessed by Mandiant or Recorded Future in open publications. |
| Akira | Separate Conti-diaspora stream; distinct operational identity; shared Conti heritage only | CONFIRMED (separation) | CrowdStrike: PUNK SPIDER (separate from ROYAL SPIDER). No operational overlap documented. |
| BlackBasta | Separate Conti-diaspora stream; no operational linkage to Royal/BlackSuit documented | CONFIRMED (separation) | Distinct vendor designations across all major vendors. |
- No named operators: Unlike LockBit (Khoroshev et al.) or Conti (multiple indictments), no individuals connected to Royal, BlackSuit, or Chaos have been publicly identified or charged. This represents the primary unresolved accountability gap.
- Chaos affiliate roster unknown: Open-source reporting does not identify Chaos affiliates, revenue splits, or the size of the affiliate pool. Growth trajectory depends heavily on affiliate satisfaction and law enforcement attention to the new infrastructure.
- On-chain mapping incomplete: The $1.09M seizure is the only confirmed public on-chain recovery. The broader wallet cluster infrastructure for Royal/BlackSuit proceeds has not been publicly documented by Chainalysis, TRM Labs, or Elliptic.
- State-false-flag complexity: The Rapid7 2026 finding that a state actor used Chaos branding in at least one operation means attribution of Chaos-attributed incidents requires additional corroboration before classifying as criminal vs. state-directed.
- Fourth-generation rebrand risk: Given the two-to-four year cadence of prior rebrands, a Chaos successor cannot be ruled out if law enforcement pressure on Chaos infrastructure increases materially in 2026.