Resecurity, a outstanding cybersecurity agency, has efficiently exploited a vulnerability within the Information Leak Website (DLS) of Blacklock Ransomware, gaining unprecedented entry to the group’s infrastructure.
This breach, occurring in the course of the winter of 2024-2025, allowed researchers to gather substantial intelligence concerning the ransomware group’s actions and deliberate assaults.
Exploitation of Native File Embrace Vulnerability
The compromise was achieved by way of the exploitation of a Native File Embrace (LFI) vulnerability current within the DLS hosted on the TOR community.
This safety flaw enabled Resecurity’s analysts to accumulate crucial artifacts associated to the risk actors’ community infrastructure, together with logs, related file-sharing accounts, and timestamps of logins.
Uncovering Deliberate Assaults and Sufferer Information
Leveraging the gained entry, Resecurity was in a position to gather details about deliberate knowledge publications from victims as much as 13 days earlier than the risk actors meant to launch it.
In a single occasion, the agency alerted the Canadian Centre for Cyber Safety about an impending assault on a Canada-based sufferer almost two weeks earlier than the deliberate knowledge leak.
The breach additionally revealed the group’s use of MEGA, a well-liked file-sharing service, for storing and transferring stolen knowledge.
Researchers recognized no less than eight e-mail accounts related to MEGA folders managed by Blacklock Ransomware, offering perception into their knowledge exfiltration strategies.


The investigation uncovered potential hyperlinks between Blacklock Ransomware and different cybercriminal teams.
Code similarities have been discovered between Blacklock and DragonForce ransomware, suggesting doable cooperation or a transition of possession.
This discovery highlights the dynamic nature of the ransomware ecosystem and the potential for market consolidation amongst cybercriminal teams.
The Blacklock Ransomware DLS was defaced and technically liquidated, with configuration information being publicly disclosed.
This occasion, together with the compromise of the associated Mamona ransomware venture, suggests a big disruption to the group’s operations and a possible shift within the ransomware panorama.
This breach of Blacklock Ransomware’s infrastructure supplies beneficial insights into the operations of ransomware teams and demonstrates the effectiveness of proactive cybersecurity measures in combating these threats.
Because the ransomware ecosystem continues to evolve, such intelligence-gathering efforts play a vital function in understanding and mitigating cyber dangers.
Are you from SOC/DFIR Groups? – Analyse Malware, Phishing Incidents & get stay Entry with ANY.RUN -> Begin Now for Free.