BlackLock Hackers Hacked

Uploaded on 2025-04-02 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Last year researchers Resecurity identified a weakness in BlackLock's Data Leak Site (DLS), which gave them a way to monitor the criminal group’s network infrastructure and identify specific activity logs, hosting providers, and linked MEGA accounts used to store the data of its victims.

Now, Resecurity have used a vulnerability in the Dark Web site of a ransomware criminal group BlackLock to gather and review data about BlackLock’s planned attacks.

Named BlackLock or El Dorado or Eldorado, the ransomware-as-a-service (RaaS) group began in March 2024. In the last quarter of 2024 it increased its number of data leak posts by 1,425% quarter-on-quarter. 

This relatively new ransomware service group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025.

Earlier this year, Resecurity contacted the Canadian Centre for Cyber Security to share what it had learned about a planned data release from a Canada-based victim, 13 days before its publication by BlackLock. Operations hit were based in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, Spain, the Netherlands, the US, the UK and the UAE.

Resecurity says that BlackLock has probably attacked many more victims than is currently known, many could still be dealing with the problems.

There was a misconfiguration problem in BlackLock's website that allowed the researchers in and who were then able to access clearnet IP addresses related to the ransomware group's network infrastructure. By exploiting a Local File Include (LFI) vulnerability, in which a user tricks an application to expose files stored on a given server, the researchers were able to gather BlackLock config files and credentials. "The acquired history of commands was probably one of the biggest OPSEC failures of Blacklock Ransomware," said the researchers. "The collected artifacts included copy-pasted credentials the key actor managing the server used and a detailed chronology of victims’ data publication."

Resecurity believes that it's done enough damage to BlackLock to make sure that it can't recover, with its reputation amongst cybercriminal affiliates now critically undermined.

BlackLock was using file sharing service MEGA to store and transfer stolen data and Resecurity was able to identify eight distinct email addresses associated with the MEGA folders. The researchers suggest that this might indicate some sort of co-operation, or conversely a take-over by DragonForce. “It seems DragonForce wanted to shame the group and compromise their operations to eliminate competitors. On the other hand, such tactics could also be used as a ‘false flag’ to further transition to a new project,” Resecurity said.

"It is unclear if BlackLock ransomware started cooperating with DragonForce ransomware or silently transitioned under the new ownership.. The new masters likely took over the project and their affiliate base because of ransomware market consolidation, understanding their previous successors could be compromised, said Resecurity." Resecurity conclude. 

Resecurity   |  Tripwire   |   ITPro   |   Infosecurity Magazine   |   The Register   |   SC Magazine

Image: TSD Studio 

You Might Also Read: 

Essential Strategies To Prevent Ransomware Attacks:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Q-Day Could Lead To Hacking Nuclear Weapons
China Presents The Top Cyber & Military Challenge »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Grid32

Grid32

Grid32 provides independent computer system and physical security audit services to government and corporate clients of all sizes.

Datiphy

Datiphy

Datiphy's data-centric security platform uses behavioral analytics, and data-centric auditing and protection capabilities to mitigate risk.

Australian Cyber Security Growth Network (AustCyber)

Australian Cyber Security Growth Network (AustCyber)

AustCyber brings together businesses and researchers to develop the next generation of cyber security products and services.

Cyber8Lab

Cyber8Lab

Cyber8Lab provides cybersecurity training programmes simulating real world cybersecurity incidents such as web defacement, malware, phishing, digital forensics analysis and wireless intrusion.

Compumatica

Compumatica

Compumatica is a leading European ICT security manufacturer for cybersecurity and encryption products. Solutions include network security, SCADA/ICS security, Mobile/BYOD and email encryption.

IOTA Foundation

IOTA Foundation

The IOTA Foundation is a non-profit R&D organisation focused on developing the next generation of protocols for the connected world.

Forensic Pathways

Forensic Pathways

Forensic Pathways focus on the provision of digital forensic technologies, offering clients unique technologies in the management of mobile phone data, image analysis and ballistics analysis.

KBR

KBR

To help governments and other agencies to combat cyber threats, KBR is safeguarding their most valuable systems with sophisticated tools, hardware and training.

AUTOCRYPT

AUTOCRYPT

AUTOCRYPT is a mobility security provider dedicated to the safety of future transportation

PatrOwl

PatrOwl

Automate your SecOps with PatrOwl, and start defending your assets efficiently.

CyberSN

CyberSN

CyberSN is your essential partner in cybersecurity workforce risk management offering solutions that empower leaders to diversify, acquire, retain, and develop their cybersecurity teams.

xorlab

xorlab

xorlab is a Swiss cybersecurity company providing specialized, machine-intelligent defense against highly engineered, sophisticated and targeted email attacks.

BriskInfosec Technology & Consulting

BriskInfosec Technology & Consulting

BriskInfosec provides information security services, products and compliance solutions to our customers.

Mission Critical Partners (MCP)

Mission Critical Partners (MCP)

Mission Critical Partners is committed to delivering innovative solutions that help our clients enhance and evolve their critical-communications systems and operations.

Galvanick

Galvanick

Galvanick enables your operations and IT teams to protect your industrial systems and networks against digital threats.

Cloud Software Group

Cloud Software Group

Cloud Software Group provides mission-critical software to enterprises at scale.