Ddos 
BlackLock DLS | Image: ASEC
The AhnLab Security Intelligence Center (ASEC) has released a detailed analysis of BlackLock, a relatively new ransomware group that has quickly risen to prominence in the cybercrime ecosystem. Believed to have emerged around March 2024, the group first revealed its operations publicly in June 2024 with the launch of its Dedicated Leak Site (DLS). As ASEC notes, “information on multiple affected companies had already been posted, suggesting that the gang had been active in secret for several months.”
Initially operating under the name El Dorado, the group rebranded to BlackLock around September 2024. According to ASEC, “BlackLock ransomware is written in Go, a cross-platform programming language. This allows the malware to target Windows, Linux, and VMware ESXi environments, indicating a broad attack surface and the ability to simultaneously compromise diverse operating systems.”
Most confirmed victims are located in the United States, spanning enterprises and local government agencies, but attacks have also been observed in South Korea, Japan, and other countries. Affected industries include public institutions, consulting, education and research, transportation, manufacturing, and even hospitality sectors like golf resorts.
BlackLock is designed with operational flexibility in mind. It supports multiple execution arguments such as -path (specific target path), -perc (percentage of file blocks to encrypt), and -sort (encrypt important folders first). These features allow attackers to fine-tune the encryption process.
ASEC highlights that, “upon execution, BlackLock ransomware supports various command-line arguments to enable or disable specific features. If launched without any options, it defaults to encrypting the entire local drive.”
For file encryption, BlackLock uses Go’s crypto library. It generates a unique FileKey and Nonce for every file and encrypts data with the XChaCha20 stream cipher. To protect decryption keys, the group employs Elliptic Curve Diffie-Hellman (ECDH), ensuring only the attacker can recover the shared key.
As ASEC explains, “to ensure files can be decrypted after ransom payment, BlackLock appends encryption key and metadata to the end of each file… The metadata is then encrypted using secretbox.Seal() with the shared key and Nonce.”
Infected systems display a ransom note titled HOW_RETURN_YOUR_DATA.TXT in every affected directory. ASEC notes that “if the ransom is not paid, the attackers warn they will disrupt the victim’s business website or leak sensitive data to customers and the public.”
Unlike many ransomware families that issue simple command-line instructions, BlackLock deletes backups more covertly. “It constructs a COM object instance capable of executing WMI queries, which it uses to enumerate and delete shadow copies. This process is carried out by shellcode… making detection more difficult.”
While the group is actively targeting Windows and SMB network shares, the malware is also capable of being built for Linux and VMware ESXi, putting both enterprise servers and virtualized environments at risk.
Related Posts:
- BlackLock Ransomware Disrupted: Resecurity’s Infiltration Exposes Operations
- Ransomware Gang Qilin Rises Amid Collapse of Major Gangs Like RansomHub and LockBit
- Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
- Stealthy and Persistent: New Ransomware Tactics Target VMware ESXi
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
