In the constantly shifting landscape of cyber threats, new ransomware groups continue to emerge with increasingly sophisticated tactics and bold strategies. One such threat actor making headlines in 2025 is BlackLock, a rapidly growing ransomware operation known for its aggressive double extortion methods and advanced attack capabilities. Originally operating under the name El Dorado (aka Eldorado), the group rebranded to BlackLock in late 2024 and has since become one of the most active extortions syndicated this year.  

Leveraging a Ransomware-as-a-Service (RaaS) model, BlackLock provides its tools to affiliates who carry out attacks across industries such as healthcare, finance, manufacturing, government, and technology. Its malware is capable of targeting Windows, Linux, and VMWare ESXi environments, though the Linux variant is comparatively limited in functionality. By exfiltrating sensitive data before encrypting systems, BlackLock intensifies its pressure on victims, solidifying its position as a major threat in today's cybersecurity landscape.  

Targeted Platforms: Windows, Linux and VMWare ESXi  

Targeted Industries: Technology, Construction, Manufacturing, Finance, Government, Real Estate, Defense, Healthcare and Retail Sectors.  

Affected Countries: United States, Canada, Spain, Japan Italy, Croatia, Brazil, UAE, Puerto Rico, United Kingdom, Netherlands, Argentina, Aruba, Peru and Germany  

Operational Strategy and Recruitment Infrastructure

BlackLock distinguished itself from many ransomware groups by developing its own custom malware, rather than relying on leaked builder kits, demonstrating a notable degree of technical sophistication. As of June 2025, the group has impacted at least 60 known victims across various sectors.  

A critical component of BlackLock's operations is its recruitment of "traffers" - actors responsible for generating and directing malicious traffic to enable initial access into targeted systems. These individuals are often sourced through urgent and openly detailed recruitment posts, reflecting BlackLock's emphasis on rapid execution, even at the expense of operational security. The group uses encrypted Telegram channels to coordinate activities, complicating efforts by researchers and law enforcement to trace communications or identify members.  

Additionally, BlackLock has leveraged the Russian-language cybercrime forum RAMP to recruit both affiliates and traffers in the early phases of its attack campaigns, further cementing its foothold within the broader Ransomware-as-a-Service ecosystem.  

‍Technical Analysis of BlackLock Ransomware

Building on El Dorado's technical foundation, BlackLock employs a dynamic, multi-stage attack strategy that deviates from conventional ransomware playbooks leveraging operational flexibility to complicate defensive measures.

Initial Access

The group commonly leverages spear-phishing emails, malicious attachments, and compromised Remote Desktop Protocol (RDP) credentials to infiltrate targeted systems.  The group also collaborates with Initial Access Brokers (IABs), who   supply pre-compromised access to victim environments, including domain administrator credentials, Active Directory footholds, or access to critical internal services and infrastructure.

By outsourcing this phase, BlackLock significantly accelerates its attack timeline and focuses more resources on post-compromise activities like lateral movement, data exfiltration, and encryption.

Privilege Escalation and Lateral Movement

Once inside a targeted environment, BlackLock employs a range of post-compromise techniques to expand its foothold and escalate privileges. To maintain stealth and blend in with legitimate administrative activity, BlackLock leverages trusted tools like PowerShell and PsExec for remote execution across the network. The ransomware operators also deploy advanced credential harvesting techniques to elevate privileges and gain access to sensitive systems and administrative domains. Apart from these, the group also utilized Pass-the-Hash (PtH) methods to reuse stolen NTLM hashes, enabling lateral movement without needing plaintext passwords.

Data Exfiltration and Encryption  

The ransomware encrypts files using a combination of ChaCha20 for file content and RSA-OAEP for key encryption, ensuring that recovery without the decryption key is nearly impossible. During the encryption process, files are not only locked with robust algorithms but also renamed using random character strings and assigned a unique extension, making identification and recovery more difficult.  

Simultaneously, sensitive data such as financial records, proprietary documents, and intellectual property files are exfiltrated to intensify pressure on the victim.  This double extortion strategy allows the group to demand payment not just for file decryption, but also to prevent the public release or sale of stolen information. To hinder data recovery efforts, BlackLock removes shadow volume copies from compromised systems, effectively disabling backup-based restoration.

Ransom Note

Victims are presented with a ransom note titled "HOW_RETURN_YOUR_DATA.TXT", which is dropped on compromised systems, demanding payment in Bitcoin and outlining the consequences of non-compliance. The ransom note informs victims that their network has been compromised, with critical data both encrypted and exfiltrated. The attackers emphasize that their motive is purely financial and invite the victim to initiate contact through specified channels. Upon communication, the victim is promised a detailed list of the stolen files and offered a one-time opportunity to decrypt  a single file for free as proof of recovery capability.  

The ransom amount is to be negotiated, with payment strictly required in Bitcoin. The note threatens that failure to comply will result in the public release of the exfiltrated data. Additionally, it cautions victims against restarting systems, renaming, or modifying encrypted files, warning that such actions could make data recovery permanently impossible.

BlackLock's Downfall

In an unexpected twist, BlackLock found themselves on the receiving end of a security breach. Ironically, it was their own lack of cybersecurity hygiene that led to their exposure, thanks to a vulnerability in their leak site uncovered by researchers at Resecurity.  

The weakness that unmasked blacklock

Resecurity discovered a Local File Inclusion (LFI) vulnerability in the BlackLock's data leak portal. By exploiting this flaw through path traversal techniques, the researchers were able to make the server disclose files that were never meant to be accessed externally, essentially turning BlackLock's weapon against them.  

What was exposed?

The breach offered a rare glimpse into the inner workings of the ransomware gang:  

• System Configuration Details: These files revealed how BlackLock had set up their systems and conducted operations behind the scenes.  
• Shell Command Logs: Commands executed on the compromised servers gave insight into the gang's tools, behaviors, and possible attack chains.  
• Public-Facing IPs: Although their operations were primarily hidden within the TOR network, researchers uncovered several Clearnet IP addresses, exposing parts of their infrastructure to the open internet and reducing their operational stealth.  
• Victim Information: Data belonging to 46 victims was discovered, offering clues about the industries and regions they were targeting.  

Further analysis of the system logs uncovered at least eight MEGA cloud storage accounts tied to the group, likely used to stage stolen data prior to public exposure. Email aliases such as emptyzubinnecrouzo-6860@yopmail[.]com and megaO8Omega@gmail[.]com were linked to these MEGA accounts, suggesting attempts to maintain anonymity while operating in the open. In several cases, BlackLock went as far as installing the MEGA client directly onto victim servers, facilitating automated and covert data transfers without detection.

The exposure had quick repercussions. On March 20, 2025, BlackLock's data leak site was defaced by rival group DragonForce. While it's unclear whether DragonForce exploited the same LFI flaw or simply capitalized on the weakened state of their rivals, the timing suggests a calculated move to assert dominance. Interestingly, just one day earlier, the Mamona ransomware group’s DLS had also been defaced.

The BlackLock and DragonForce connection

Uncertainty remains around whether BlackLock began cooperating with DragonForce or silently transferred control. A potential shift in ownership appears likely, with DragonForce possibly taking over BlackLock's infrastructure and affiliate network, a move that may reflect broader ransomware market consolidation, particularly if internal compromise had already occurred.  

The key figure known as '$$$' showed no visible reaction to the disruptions involving BlackLock and Mamona. This behavior suggests prior awareness of operational compromise, making a discreet withdrawal from previous operations a strategic and calculated decision.

BlackLock Ransomware techniques mapped to MITRE ATT&CK

Understanding BlackLock tactics through the MITRE ATT&CK framework provides valuable insight into its operational behavior and attack chain. By mapping its techniques to known adversary behaviors, defenders can better anticipate, detect, and respond to its actions.  

‍

Mitigation against BlackLock Ransomware

To effectively defend against BlackLock ransomware, organizations must adopt a defense-in-depth strategy that combines proactive prevention, detection, and response capabilities. Below are key mitigation measures:

Security Awareness & Training: Educate employees on identifying phishing emails, malicious attachments, and social engineering attempts that are common initial access vectors for ransomware. Regular simulated phishing exercises can improve vigilance.  

Regular Patching & Updates: Keep operating systems, applications, and third-party software up to date. Timely patching reduces the risk of exploitation via known vulnerabilities, an avenue often used by ransomware operators.

Restrict RDP & Enforce Multi-Factor Authentication (MFA): Disable Remote Desktop Protocol (RDP) where not necessary. For essential remote access, enforce MFA to add an additional security layer and reduce brute-force attack risk.

Implement Network Segmentation: Segment critical assets from less sensitive parts of the network. This limits the lateral movement of malware and contains the blast radius in case of a compromise.

Deploy EDR/XDR Solutions: Leverage Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) tools to monitor endpoint activity in real-time. These tools help detect suspicious behaviors, enabling quicker containment of ransomware activity.

Maintain Secure Backups & Test Restoration Plans: Regularly back up critical data to offline or immutable storage systems. Test recovery plans frequently ensure business continuity and reduce the impact of ransomware encryption.

Leverage Threat Intelligence: Monitor threat intelligence feeds for indicators of compromise (IOCs), TTPs (tactics, techniques, and procedures), and infrastructure linked to BlackLock and other emerging ransomware groups. Early detection enables faster response.

Sources Cited:

1. https://www.tripwire.com/state-of-security/blacklock-ransomware-what-you-need-know  
2. https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html  
3. https://www.forenova.com/de/blog/blacklock-ransomware-deep-dive-a-cross-platform-double-extortion-threat/  
4. https://darkatlas.io/blog/blacklock-ransomware-a-growing-threat-across-industries?
5. https://www.resecurity.com/blog/article/blacklock-ransomware-a-late-holiday-gift-with-intrusion-into-the-threat-actors-infrastructure  
6. https://cirt.gy/article/al2025_13-2025s-fasting-growing-ransomware-blacklock-27th-february-2025/  
7. https://www.ampcuscyber.com/shadowopsintel/inside-blacklock-the-raas-group-reshaping-cybercrime/  
8. https://slcyber.io/blog/blacklock-ransomware-exposed-and-dragonforce-makes-moves/  
9. https://www.cybersecurity-insiders.com/blacklock-ransomware-gang-infrastructure-breached-and-info-passed-to-law-enforcement/  
10. https://www.linkedin.com/pulse/blacklock-ransomware-rise-unveiling-global-cybercrime-anoushka-das-hrdye/  
11. https://linuxsecurity.com/news/hackscracks/understanding-blacklock-linux-raas  
12. https://www.helpnetsecurity.com/2025/02/18/blacklock-ransomware-what-to-expect-how-to-fight-it/  
13. https://cybersecuritynews.com/blacklock-ransomware-infrastructure-intruded/
14. https://www.beforecrypt.com/en/success-story-comprehensive-ransomware-incident-response-and-recovery-from-a-lockbit-black-attack/  
15. https://reliaquest.com/blog/threat-spotlight-inside-the-worlds-fastest-rising-ransomware-operator-blacklock/