In what’s an occasion of hacking the hackers, risk hunters have managed to infiltrate the net infrastructure related to a ransomware group known as BlackLock, uncovering essential details about their modus operandi within the course of.
Resecurity mentioned it recognized a safety vulnerability within the knowledge leak web site (DLS) operated by the e-crime group that made it potential to extract configuration recordsdata, credentials, in addition to the historical past of instructions executed on the server.
The flaw considerations a “sure misconfiguration within the Knowledge Leak Web site (DLS) of BlackLock Ransomware, resulting in clearnet IP addresses disclosure associated to their community infrastructure behind TOR hidden companies (internet hosting them) and extra service data,” the corporate mentioned.
It described the acquired historical past of instructions as one of many largest operational safety (OPSEC) failures of BlackLock ransomware.
BlackLock is a rebranded model of one other ransomware group generally known as Eldorado. It has since turn into some of the lively extortion syndicates in 2025, closely focusing on expertise, manufacturing, development, finance, and retail sectors. As of final month, it has listed 46 victims on its web site.
The impacted organizations are positioned in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the UK, and the USA.
The group, which introduced the launch of an underground affiliate community in mid-January 2025, has additionally been noticed actively recruiting traffers to facilitate early levels of the assaults by directing victims to malicious pages that deploy malware able to establishing preliminary entry to compromised methods.
The vulnerability recognized by Resecurity is an area file inclusion (LFI) bug, primarily tricking the net server into leaking delicate data by performing a path traversal assault, together with the historical past of instructions executed by the operators on the leak web site.
A few of notable findings are listed under –
- Using Rclone to exfiltrate knowledge to the MEGA cloud storage service, in some instances even putting in the MEGA consumer instantly on sufferer methods
- The risk actors have created not less than eight accounts on MEGA utilizing disposable e-mail addresses created by way of YOPmail (e.g., “zubinnecrouzo-6860@yopmail.com”) to retailer the sufferer knowledge
- A reverse engineering of the ransomware has uncovered supply code and ransom notice similarities with one other ransomware pressure codenamed DragonForce, which has focused organizations in Saudi Arabia (Whereas DragonForce is written in Visible C++, BlackLock makes use of Go)
- “$$$,” one of many foremost operators of BlackLock, launched a short-lived ransomware challenge known as Mamona on March 11, 2025
In an intriguing twist, BlackLock’s DLS was defaced by DragonForce on March 20 – seemingly by exploiting the identical LFI vulnerability (or one thing comparable) – with configuration recordsdata and inside chats leaked on its touchdown web page. A day prior, the DLS of Mamona ransomware was additionally defaced.
“It’s unclear if BlackLock Ransomware (as a bunch) began cooperating with DragonForce Ransomware or silently transitioned beneath the brand new possession,” Resecurity mentioned. “The brand new masters seemingly took over the challenge and their affiliate base due to ransomware market consolidation, understanding their earlier successors could possibly be compromised.”
“The important thing actor ‘$$$’ didn’t share any shock after incidents with BlackLock and Mamona Ransomware. It’s potential the actor was absolutely conscious that his operations could possibly be already compromised, so the silent ‘exit’ from the earlier challenge could possibly be probably the most rational possibility.”