The BlackLock ransomware group has become one of the most prolific operators in the Ransomware as a Service (RaaS) ecosystem, with experts warning it could accelerate its growth over the next year.
Also known as El Dorado, BlackLock was ranked as the seventh most active ransomware group based on the number of posts on its data leak site by the end of 2024, marking a 1,425% growth from Q3.
Security firm ReliaQuest recently published research on the group and its rise to prominence, detailing its TTPs and why the operation has seen so much success in recent years.
The group was among the top three most active collectives on the RAMP forum, whose community listed BlackLock among the top ransomware operators in terms of their reputation on the site.
Reliaquest noted that BlackLock’s rise has been both “swift and strategic” and predicted that if the group’s activity continues at this pace it will go on to become the most active ransomware group in 2025.
The group is known to use double extortion tactics whereby they encrypt data while also stealing sensitive information, hoping to exert more pressure on victims with the potential threat of exposing the stolen information.
Its ransomware is custom-built to target Windows, VMWare ESXi, and Linux environments, although Reliquest noted that the Linux variant is less mature than its Windows counterpart.
Why BlackLock stands out from the crowd
The report identifies a number of ways in which BlackLock has set itself apart in what is a highly competitive digital extortion landscape, firstly with what it describes as an unusual leak site that uses a combination of unique tricks aimed at preventing researchers from downloading stolen data.
The site is “packed” with a number of features that Reliaquest speculates are intended to prevent targeted organizations from assessing the scope of their breaches.
“This, in turn, ramps up pressure on the organizations to quickly pay ransoms, often before they can fully evaluate the situation,” researchers said.
“These features also highlight BlackLock’s technical sophistication, reinforcing its reputation as a polished, professional operation.”
RELATED WHITEPAPER
BlackLock’s use of custom-built malware is another indicator of their sophistication, Reliaquest added, which it said is a hallmark of top-tier groups such as Qlin or Play.
Competing groups like Bl00dy, Dragonforce, and RA World rely on externally developed ransomware builders such as leaked versions of Babuk or LockBit, the report notes, whereas BlackLock develops its own bespoke malware.
“While leaked ransomware builders are easy to use, they come with a major drawback: Security researchers can access and dissect the code, find weaknesses, and develop defenses against them. In contrast, BlackLock’s custom malware keeps researchers in the dark — at least until its source code is leaked.”
Reliaquest also reported the group has been actively recruiting affiliates known as ‘traffers’ to support the earlier stages of their attacks, whereas it has been far more discreet when looking to bring higher-level developers on board.
BlackLock targets need to be wary
The report identified potential indicators for BlackLock’s next major targets, citing forum activity that would suggest the group plans on exploiting Microsoft Entra Connect in an upcoming campaign.
A user known to represent BlackLock was found sharing security research on how attackers could abuse Entra Connect’s synchronization mechanism to manipulate user attributes and compromise on-prem environments.
“For organizations managing multiple domains under one tenant, this tactic creates a significant risk of privilege escalation and the potential for a major breach. While the blog describes the attack hypothetically, its feasibility and potential impact make it a serious concern.,” Reliaquest warned.
As a result, organizations should reassess the security of their infrastructure now, Reliaquest urged, stating that in particular, they should look to harden their rules around sensitive attributes, monitor and restrict key registrations, and enforce conditional access policies.
MORE FROM ITPRO
- Life after LockBit: A fragmented landscape and wayward affiliates will still cause chaos for enterprises
- 8Base ransomware members snared in global police crackdown
- Cisco dispels Kraken data breach claims, insists stolen data came from old attack
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Law enforcement needs to fight fire with fire on AI threatsNews UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Fake file converter tools are on the rise – here’s what you need to knowNews The FBI has issued an alert over the rise of fake file converter tools available online after observing a spate of scams and ransomware attacks.
