BlackLock Ransomware, a newly established gang also known as El Dorado, was on track to becoming one of the most prolific cybercrime rings. However, Resecurity, a cybersecurity firm, has found a flaw in its data leak site and hacked into the hackers’ infrastructure.
Resecurity researchers have announced they crippled a major threat actor. They identified a vulnerability affecting BlackLock’s data leak site on the dark web in late 2024.
The researchers exploited it to collect substantial intelligence about gang activity outside their public domain, including important credentials.
“Our analysts from the HUNTER team have been covertly acquiring critical and previously undisclosed artifacts related to threat actors' network infrastructure, logs, ISPs and hosting providers involved, timestamps of logins, associated file-sharing accounts at MEGA, the group created to store stolen data from the victims,” the Resecurity team explains.
The firm’s threat researchers uncovered a trove of information about BlackLock, which helped to predict and prevent some of their planned attacks against undisclosed victims.
Resecurity also took over the hacker’s infrastructure and warned police and cybersecurity teams days before BlackLock planned to leak victims’ data, stopping the leaks.
“The proactive, practical approach to disrupting cybercriminal chains is the key catalyst to combat ransomware activity worldwide,” the firm believes.
”BlackLock ransomware compromise is a unique case when offensive cyber, combined with threat intelligence research capabilities, facilitated investigation workflow to uncover critical insights and target the actors regardless of how sophisticated their operations are.”
Currently, BlackLock’s data leak site is defaced by another ransomware gang. It exposes the gang’s secrets and even leaks a conversation, presumably between a gang member and one of their victims. It appears that BlackLock’s operators abandoned their infrastructure and affiliates have already shifted elsewhere.
BlackLock was active from March 2024, when it rapidly accelerated attacks. By Q4 2024, it ranked as the 7th most prolific ransomware group on data-leak sites, fueled by a staggering 1,425% increase in activity from Q3, according to the ReliaQuest report.
Resecurity identified at least 46 of its victims, including organizations from electronics, academia, religious organizations, defense, healthcare, technology, IT/MSP vendors, and government agencies. The actual number is likely much higher.
How did the disruption happen?
BlackLock’s data leak site had a severe security flaw known as a Local File Include vulnerability. This flaw enables outsiders to trick the website into revealing files stored on its server, which should normally be hidden.
This allowed the researchers to retrieve sensitive server-side configuration details and login credentials. They also extracted plain text server logs, SSH credentials, and command-line histories, even demonstrating this in a video clip.
“Resecurity invested substantial time in hash-cracking threat actors’ accounts to take over the infrastructure,” the report reads.
“The acquired history of commands was probably one of the biggest OPSEC failures of Blacklock ransomware.”
The collected logs included copy-pasted credentials and a detailed chronology of victims’ data publication.
“Ironically, one of the passwords copied by one of the actors managing the BlackLock ransomware server was valid for several other associated accounts used by the group.”
The gang stored stolen data on MEGA cloud storage, using at least eight accounts created with disposable YOPmail email addresses. For communication with the victims, the group used an email account registered via Cyberfear.com, an anonymous email service.
“The most notable IP addresses originated from China and Russia,” Resecurity said.
While the threat actors could use proxies, their posts on cybercrime forums were also notably written in Russian and Chinese. Their affiliates were instructed to not target the BRICS alliance, and the Commonwealth of Independent States (CIS).
Resecurity monitored BlackLock ransomware’s accounts and terabytes of data flows. The researchers also discovered overlaps with two other ransomware projects: El Dorado and Mamona ransomware.
Resecurity alerted global authorities in Canada, France and elsewhere to share intelligence about planned BlackLock data leaks.
On February 26th, 2025, Resecurty even contacted BlackLock’s representative, who managed the affiliate network. This way, they obtained malicious samples of ransomware payloads designed for various OSes.
Two days later, the threat actor suddenly started talking about a possible “exit” scenario.
Operations taken over by another gang: DragonForce
Another ransomware gang, DragonForce ransomware, defaced BlackLock’s, and Mamona’s data leak sites around March 20th, 2025.
“It seems DragonForce wanted to shame the group and compromise their operations to eliminate competitors. On the other hand, such tactics could also be used as a “false flag,” the researchers speculate.
The reverse-engineered older ransomware samples revealed an almost identical codebase used by both BlackLock and DragonForce.
“It is unclear if BlackLock ransomware started cooperating with DragonForce ransomware or silently transitioned under the new ownership. The new masters likely took over the project and their affiliate base because of ransomware market consolidation, understanding their previous successors could be compromised.”
BlackLock is now technically liquidated, and DragonForce will benefit from the changes “as one of the most robust groups having strong technical capabilities and organization.”
Resecurity believes that BlackLock won’t be able to recover due to the significant damage it suffered and affiliates’ concerns about multiple OPSEC failures. They expect DragonForce to accelerate malicious activities significantly.
Your email address will not be published. Required fields are markedmarked