BlackLock Hackers Hacked
Last year researchers Resecurity identified a weakness in BlackLock's Data Leak Site (DLS), which gave them a way to monitor the criminal group’s network infrastructure and identify specific activity logs, hosting providers, and linked MEGA accounts used to store the data of its victims.
Now, Resecurity have used a vulnerability in the Dark Web site of a ransomware criminal group BlackLock to gather and review data about BlackLock’s planned attacks.
Named BlackLock or El Dorado or Eldorado, the ransomware-as-a-service (RaaS) group began in March 2024. In the last quarter of 2024 it increased its number of data leak posts by 1,425% quarter-on-quarter.
This relatively new ransomware service group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025.
Earlier this year, Resecurity contacted the Canadian Centre for Cyber Security to share what it had learned about a planned data release from a Canada-based victim, 13 days before its publication by BlackLock. Operations hit were based in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, Spain, the Netherlands, the US, the UK and the UAE.
Resecurity says that BlackLock has probably attacked many more victims than is currently known, many could still be dealing with the problems.
There was a misconfiguration problem in BlackLock's website that allowed the researchers in and who were then able to access clearnet IP addresses related to the ransomware group's network infrastructure. By exploiting a Local File Include (LFI) vulnerability, in which a user tricks an application to expose files stored on a given server, the researchers were able to gather BlackLock config files and credentials. "The acquired history of commands was probably one of the biggest OPSEC failures of Blacklock Ransomware," said the researchers. "The collected artifacts included copy-pasted credentials the key actor managing the server used and a detailed chronology of victims’ data publication."
Resecurity believes that it's done enough damage to BlackLock to make sure that it can't recover, with its reputation amongst cybercriminal affiliates now critically undermined.
BlackLock was using file sharing service MEGA to store and transfer stolen data and Resecurity was able to identify eight distinct email addresses associated with the MEGA folders. The researchers suggest that this might indicate some sort of co-operation, or conversely a take-over by DragonForce. “It seems DragonForce wanted to shame the group and compromise their operations to eliminate competitors. On the other hand, such tactics could also be used as a ‘false flag’ to further transition to a new project,” Resecurity said.
"It is unclear if BlackLock ransomware started cooperating with DragonForce ransomware or silently transitioned under the new ownership.. The new masters likely took over the project and their affiliate base because of ransomware market consolidation, understanding their previous successors could be compromised, said Resecurity." Resecurity conclude.
Resecurity | Tripwire | ITPro | Infosecurity Magazine | The Register | SC Magazine
Image: TSD Studio
You Might Also Read:
Essential Strategies To Prevent Ransomware Attacks:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible