Theres a new ransomware player on the scene the BlackLock group has become one of the most prolific operators in the cyber crime industry and researchers warn its only going to get worse for potential victims ITPro
pSecurity experts have warned the BlackLock group could become the most active ransomware operator in 2025pp
When you purchase through links on our site we may earn an affiliate commission Heres how it works
ppThe BlackLock ransomware group has become one of the most prolific operators in the Ransomware as a Service RaaS ecosystem with experts warning it could accelerate its growth over the next yearppAlso known as El Dorado BlackLock was ranked as the seventh most active ransomware group based on the number of posts on its data leak site by the end of 2024 marking a 1425 growth from Q3ppSecurity firm ReliaQuest recently published research on the group and its rise to prominence detailing its TTPs and why the operation has seen so much success in recent yearsppThe group was among the top three most active collectives on the RAMP forum whose community listed BlackLock among the top ransomware operators in terms of their reputation on the siteppReliaquest noted that BlackLocks rise has been both swift and strategic and predicted that if the groups activity continues at this pace it will go on to become the most active ransomware group in 2025ppThe group is known to use double extortion tactics whereby they encrypt data while also stealing sensitive information hoping to exert more pressure on victims with the potential threat of exposing the stolen informationppIts ransomware is custombuilt to target Windows VMWare ESXi and Linux environments although Reliquest noted that the Linux variant is less mature than its Windows counterpartppReceive our latest news industry updates featured resources and more Sign up today to receive our FREE report on AI cyber crime security newly updated for 2024ppThe report identifies a number of ways in which BlackLock has set itself apart in what is a highly competitive digital extortion landscape firstly with what it describes as an unusual leak site that uses a combination of unique tricks aimed at preventing researchers from downloading stolen datappThe site is packed with a number of features that Reliaquest speculates are intended to prevent targeted organizations from assessing the scope of their breachesppThis in turn ramps up pressure on the organizations to quickly pay ransoms often before they can fully evaluate the situation researchers saidppThese features also highlight BlackLocks technical sophistication reinforcing its reputation as a polished professional operationppppDrive operations performance across the enterpriseppBlackLocks use of custombuilt malware is another indicator of their sophistication Reliaquest added which it said is a hallmark of toptier groups such as Qlin or PlayppCompeting groups like Bl00dy Dragonforce and RA World rely on externally developed ransomware builders such as leaked versions of Babuk or LockBit the report notes whereas BlackLock develops its own bespoke malwareppWhile leaked ransomware builders are easy to use they come with a major drawback Security researchers can access and dissect the code find weaknesses and develop defenses against them In contrast BlackLocks custom malware keeps researchers in the dark at least until its source code is leakedppReliaquest also reported the group has been actively recruiting affiliates known as traffers to support the earlier stages of their attacks whereas it has been far more discreet when looking to bring higherlevel developers on boardppThe report identified potential indicators for BlackLocks next major targets citing forum activity that would suggest the group plans on exploiting Microsoft Entra Connect in an upcoming campaignppA user known to represent BlackLock was found sharing security research on how attackers could abuse Entra Connects synchronization mechanism to manipulate user attributes and compromise onprem environmentsppFor organizations managing multiple domains under one tenant this tactic creates a significant risk of privilege escalation and the potential for a major breach While the blog describes the attack hypothetically its feasibility and potential impact make it a serious concern Reliaquest warnedppAs a result organizations should reassess the security of their infrastructure now Reliaquest urged stating that in particular they should look to harden their rules around sensitive attributes monitor and restrict key registrations and enforce conditional access policiesppSolomon Klappholz is a Staff Writer at ITPro He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation industrial infrastructure applications and machine learningppWarning issued over prolific Ghost ransomware groupppThe new ransomware groups worrying security researchers in 2025ppCreating space for women in tech
pp
Posted
pp
Posted
pp
Posted
pp
Posted
pp
pp
IT Pro is part of Future plc an international media group and leading digital publisher Visit our corporate site
pp
Future Publishing Limited Quay House The Ambury
Bath
BA1 1UA All rights reserved England and Wales company registration number 2008885 p
When you purchase through links on our site we may earn an affiliate commission Heres how it works
ppThe BlackLock ransomware group has become one of the most prolific operators in the Ransomware as a Service RaaS ecosystem with experts warning it could accelerate its growth over the next yearppAlso known as El Dorado BlackLock was ranked as the seventh most active ransomware group based on the number of posts on its data leak site by the end of 2024 marking a 1425 growth from Q3ppSecurity firm ReliaQuest recently published research on the group and its rise to prominence detailing its TTPs and why the operation has seen so much success in recent yearsppThe group was among the top three most active collectives on the RAMP forum whose community listed BlackLock among the top ransomware operators in terms of their reputation on the siteppReliaquest noted that BlackLocks rise has been both swift and strategic and predicted that if the groups activity continues at this pace it will go on to become the most active ransomware group in 2025ppThe group is known to use double extortion tactics whereby they encrypt data while also stealing sensitive information hoping to exert more pressure on victims with the potential threat of exposing the stolen informationppIts ransomware is custombuilt to target Windows VMWare ESXi and Linux environments although Reliquest noted that the Linux variant is less mature than its Windows counterpartppReceive our latest news industry updates featured resources and more Sign up today to receive our FREE report on AI cyber crime security newly updated for 2024ppThe report identifies a number of ways in which BlackLock has set itself apart in what is a highly competitive digital extortion landscape firstly with what it describes as an unusual leak site that uses a combination of unique tricks aimed at preventing researchers from downloading stolen datappThe site is packed with a number of features that Reliaquest speculates are intended to prevent targeted organizations from assessing the scope of their breachesppThis in turn ramps up pressure on the organizations to quickly pay ransoms often before they can fully evaluate the situation researchers saidppThese features also highlight BlackLocks technical sophistication reinforcing its reputation as a polished professional operationppppDrive operations performance across the enterpriseppBlackLocks use of custombuilt malware is another indicator of their sophistication Reliaquest added which it said is a hallmark of toptier groups such as Qlin or PlayppCompeting groups like Bl00dy Dragonforce and RA World rely on externally developed ransomware builders such as leaked versions of Babuk or LockBit the report notes whereas BlackLock develops its own bespoke malwareppWhile leaked ransomware builders are easy to use they come with a major drawback Security researchers can access and dissect the code find weaknesses and develop defenses against them In contrast BlackLocks custom malware keeps researchers in the dark at least until its source code is leakedppReliaquest also reported the group has been actively recruiting affiliates known as traffers to support the earlier stages of their attacks whereas it has been far more discreet when looking to bring higherlevel developers on boardppThe report identified potential indicators for BlackLocks next major targets citing forum activity that would suggest the group plans on exploiting Microsoft Entra Connect in an upcoming campaignppA user known to represent BlackLock was found sharing security research on how attackers could abuse Entra Connects synchronization mechanism to manipulate user attributes and compromise onprem environmentsppFor organizations managing multiple domains under one tenant this tactic creates a significant risk of privilege escalation and the potential for a major breach While the blog describes the attack hypothetically its feasibility and potential impact make it a serious concern Reliaquest warnedppAs a result organizations should reassess the security of their infrastructure now Reliaquest urged stating that in particular they should look to harden their rules around sensitive attributes monitor and restrict key registrations and enforce conditional access policiesppSolomon Klappholz is a Staff Writer at ITPro He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation industrial infrastructure applications and machine learningppWarning issued over prolific Ghost ransomware groupppThe new ransomware groups worrying security researchers in 2025ppCreating space for women in tech
pp
Posted
pp
Posted
pp
Posted
pp
Posted
pp
pp
IT Pro is part of Future plc an international media group and leading digital publisher Visit our corporate site
pp
Future Publishing Limited Quay House The Ambury
Bath
BA1 1UA All rights reserved England and Wales company registration number 2008885 p
