do son 
Image: Resecurity
A new report by Resecurity details the rise and fall of the BlackLock Ransomware-as-a-Service (RaaS) operation, revealing how researchers infiltrated the group’s infrastructure and disrupted their activities.
BlackLock, also known as “El Dorado” or “Eldorado,” emerged in March 2024 and quickly escalated its malicious activities. Resecurity noted the group’s alarming growth, stating that in Q4 of last year, it increased its number of data leak posts by a staggering 1,425% quarter-on-quarter. The report indicated that BlackLock’s rapid acceleration of attacks positioned it to potentially become the most dominant RaaS group in 2025.
Resecurity’s intrusion into BlackLock’s operations began around the Christmas and Winter holidays, a time typically favored by cybercriminals for attacks. During this period, Resecurity identified and exploited a vulnerability in BlackLock’s Data Leak Site (DLS) on the TOR network. This access allowed Resecurity analysts to gather substantial intelligence about BlackLock’s activities.
The infiltration provided Resecurity’s HUNTER team with access to critical and previously undisclosed information, including:
- Threat actors’ network infrastructure
- Logs
- Involved ISPs and hosting providers
- Timestamps of logins
- Associated file-sharing accounts at MEGA, used to store stolen data
Resecurity emphasized the significance of this access, stating: “A successful compromise of BlackLock’s DLS allowed to uncover a trove of information about the threat actors and their Modus Operandi (MO), but more importantly, to predict and prevent some of their planned attacks and protect undisclosed victims by alerting them.”
Resecurity highlighted its proactive approach to combating ransomware activity, arguing that simply reporting on victim counts is insufficient. The report asserts: “Resecurity believes the proactive, practical approach to disrupting cybercriminal chains is the key catalyst to combat ransomware activity worldwide. Blacklock ransomware compromise is a unique case when offensive cyber, combined with threat intelligence research capabilities, facilitated investigation workflow to uncover critical insights and target the actors regardless of how sophisticated their operations are.”
As of February 10, 2025, Resecurity identified 46 victims across various sectors, including electronics, academia, defense, healthcare, and government agencies. The impacted organizations were located in several countries across the globe.
BlackLock employed various tactics, including using an anonymous email service called Cyberfear.com for communication. They also established an affiliate network, inviting other cybercriminals to distribute their ransomware.
Interestingly, BlackLock’s affiliate program had rules against targeting victims in BRICS countries (including Russia and China) and the Commonwealth of Independent States (CIS).
Resecurity’s investigation revealed that the actor behind BlackLock Ransomware, known as “$$$,” was also linked to two other ransomware projects: El Dorado and Mamona Ransomware. The report notes: “This is a unique case when the same ransomware operator could manage three projects, successfully transitioning from one to another.”
Resecurity’s successful exploitation of a vulnerability in BlackLock’s DLS allowed them to gather sensitive server-side information, including configuration files and credentials. The report emphasizes the significance of this breach: “The acquired history of commands was probably one of the biggest OPSEC failures of Blacklock Ransomware.”
This access provided Resecurity with valuable insights into BlackLock’s operations, including stolen data management via MEGA file-sharing service.
By leveraging offensive cyber tactics and threat intelligence, Resecurity gained unprecedented access into the group’s activities, ultimately hindering their ability to extort victims and providing valuable intelligence to protect potential targets.
Related Posts:
- Resecurity: Nuclear energy, oil and gas are top targets for ransomware groups in 2024
- ServiceNow Exploits Used in Global Reconnaissance Campaign
- Misinformation Campaigns Surge in the Philippines Amidst Geopolitical Tensions
- Nevada Ransomware: A New and Sophisticated Threat Emerges
- Smishing Triad Targets Pakistan with Large-Scale Banking Scam
