BlackLock ransomware is quietly accelerating its activities, becoming a name to watch in the cyber threat landscape.
BlackLock ransomware, first identified in March 2024, has rapidly risen within the ransomware-as-a-service (RaaS) ecosystem and has the potential to become the most active ransomware gang of 2025.
According to findings by cybersecurity firm Reliaquest, the gang’s activity shot up by 1,425 % in the last quarter of 2024, making it the seventh most active ransomware group. The findings show that the gang stands out from other ransomware gangs with some distinct features and tactics.
While competitor ransomware groups rely on leaked Babuk or LockBit builders to launch attacks, BlackLock sets itself apart by creating its own custom malware.
Although leaked ransomware builders are a go-to solution, they have a downside. Security researchers can analyze the code, identify vulnerabilities, and develop a response. In contrast, BlackLock’s custom malware remains elusive to researchers – at least until its source code is exposed.
The gang employs double extortion tactics, encrypting and exfiltrating victim data, and threatening public disclosure to pressure payments. The ransomware is designed to infiltrate Windows, VMware ESXi, and Linux systems, though the Linux variant is less feature-rich than its Windows counterpart.
BlackLock uses a custom leak site, which also contributes to the effectiveness of its operations. “Unlike most other leak sites, BlackLock’s platform is packed with features likely designed to prevent targeted organizations from assessing the scope of their breaches,” say the researchers.
“This, in turn, ramps up pressure on the organizations to quickly pay ransoms, often before they can fully evaluate the situation,” they add.
The gang primarily operates on the Russian-language cybercriminal forum RAMP to attract affiliates and actively recruit key players, known as traffers, to support the early stages of ransomware attacks. Such early stages include driving malicious traffic, steering victims to harmful content, and helping establish initial access for campaigns.
“Recruitment posts for traffers explicitly outline requirements, signaling BlackLock’s urgency to bring on candidates quickly – often prioritizing speed over operational security.”
Posts for higher-level developer and programmer roles are much more discreet, with details and resumes shared privately. These positions likely require greater trust, offer higher compensation, and demand a long-term commitment, making the recruitment process more selective and cautious.
It’s notable that affiliate recruitment posts often emerge before major attack waves, pointing to a possible link with BlackLock’s attack strategy.
Your email address will not be published. Required fields are markedmarked