BlackLock, a rebranded version of the Eldorado ransomware group, has become one of the most aggressive extortion gangs in 2025
In a striking turn of events, cybersecurity researchers have successfully infiltrated the online infrastructure of BlackLock, a notorious ransomware group, uncovering critical details about their operations. The breakthrough, achieved by threat intelligence firm Resecurity, exploited a vulnerability in the group’s data leak site (DLS), exposing their inner workings and security failings.
Resecurity identified a misconfiguration in BlackLock’s DLS, which led to the disclosure of their clearnet IP addresses—information that was supposed to remain hidden behind the TOR network. Additionally, researchers retrieved configuration files, login credentials, and a complete history of commands executed on the group’s servers.
Major Security Breach For BlackLock
“This is one of the biggest operational security (OPSEC) failures for BlackLock ransomware,” Resecurity noted. The breach sheds light on how the group manages its cyberattacks and handles stolen data.
BlackLock, a rebranded version of the Eldorado ransomware group, has become one of the most aggressive extortion gangs in 2025. It has targeted industries such as technology, manufacturing, construction, finance, and retail. As of last month, the group had listed 46 victims on its leak site, affecting companies across Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the United Kingdom, and the United States.
The cybercrime syndicate launched an underground affiliate network in January 2025, actively recruiting “traffers”—cybercriminals who lure victims to malicious websites. These sites distribute malware capable of gaining initial access to compromised systems, setting the stage for ransomware deployment.
Exploited Vulnerability
Resecurity’s analysis revealed that BlackLock’s leak site contained a local file inclusion (LFI) vulnerability, a flaw that enabled researchers to trick the web server into revealing sensitive data. This included a history of commands executed by the ransomware operators.
Among the key discoveries:
The group used Rclone, a cloud storage tool, to exfiltrate stolen data to MEGA, a popular cloud storage service. In some cases, they even installed the MEGA client directly onto victims’ systems.
BlackLock members created at least eight MEGA accounts using disposable YOPmail email addresses to store stolen data.
A reverse engineering analysis of BlackLock’s ransomware strain uncovered similarities with another ransomware variant known as DragonForce, which has previously targeted organisations in Saudi Arabia. While DragonForce is written in Visual C++, BlackLock’s ransomware is coded in Go.
Cybercriminals Turning On Each Other
In a surprising twist, BlackLock’s DLS was defaced by DragonForce on 20 March 2025, likely using the same LFI vulnerability or a similar exploit. The defacement included leaked configuration files and internal chat logs displayed on the site.
This came just a day after a similar attack targeted the leak site of Mamona, a short-lived ransomware project that was launched by BlackLock’s main operator, known as “$$$”, on 11 March 2025.
“It is unclear if BlackLock Ransomware (as a group) started cooperating with DragonForce Ransomware or silently transitioned under new ownership,” Resecurity noted. “The new masters likely took over the project and its affiliate base as part of the ongoing consolidation in the ransomware market, realising that the previous operators had been compromised.”
Resecurity added that “$$$” did not react publicly to the takedown of BlackLock and Mamona, suggesting that the individual may have been aware of the breach and chose to quietly exit the scene.
Implications For Cybersecurity
The exposure of BlackLock’s infrastructure is a rare instance of “hacking the hackers,” where cybersecurity experts turn the tables on cybercriminals. The incident highlights both the vulnerabilities that exist within cybercriminal networks and the ongoing battle between security researchers and ransomware operators.
With the growing sophistication of ransomware groups and their recruitment of new affiliates, cybersecurity experts stress the need for businesses to adopt robust security measures, including threat intelligence monitoring and proactive vulnerability assessments, to stay ahead of evolving threats.
