Introduction
In a compelling instance of turning the tables on cybercriminals, threat intelligence experts have successfully penetrated the infrastructure of BlackLock, a prominent ransomware group. This act of “hacking the hackers” has not only exposed key operational details but also revealed severe security lapses within the group’s systems. The findings highlight a pivotal moment in the ongoing battle between cybersecurity professionals and ransomware syndicates.
Uncovering the Vulnerability
Cybersecurity firm Resecurity discovered a critical vulnerability within BlackLock’s Data Leak Site (DLS). This flaw, attributed to a misconfiguration, allowed investigators to retrieve sensitive server data, including configuration files, credentials, and a complete history of executed commands. What made this breach particularly significant was the exposure of clearnet IP addresses that linked BlackLock’s TOR-based infrastructure to real-world locations and services, a major operational security (OPSEC) failure.
Tracing the Origins and Activities of BlackLock
BlackLock is widely recognized as the rebranded iteration of a previous ransomware entity known as Eldorado. Since its re-emergence, the group has rapidly ascended to become one of the most active ransomware syndicates in 2025. BlackLock has primarily targeted high-value sectors such as technology, construction, manufacturing, finance, and retail.
As of the latest reports, the group has listed 46 organizations on its data leak site. These victims span a broad geographical range, including countries like Argentina, Aruba, Brazil, Canada, Congo, Croatia, France, Italy, the Netherlands, Peru, Spain, the UAE, the UK, and the US.
The Mechanics Behind the Breach
The vulnerability exploited by Resecurity was identified as a Local File Inclusion (LFI) bug, which enables path traversal attacks. By exploiting this flaw, the analysts were able to access internal command histories and other backend information typically protected within the TOR network.
This breach revealed BlackLock's use of Rclone, a command-line tool, for exfiltrating stolen data to MEGA cloud storage. In some cases, the attackers even installed the MEGA client directly on victim systems. Resecurity discovered that at least eight MEGA accounts were created using disposable YOPmail addresses for this purpose.
Connections to Other Ransomware Operations
Further reverse engineering of BlackLock’s ransomware tools revealed striking similarities with a separate ransomware variant known as DragonForce. While DragonForce is developed in Visual C++, BlackLock’s malware is written in Go, but the shared features in source code and ransom note styles point to a potential connection.
Interestingly, one of BlackLock's key operators—known by the alias “$$$”—launched another ransomware project named Mamona on March 11, 2025. However, this venture was short-lived, and both Mamona’s and BlackLock’s data leak sites were defaced shortly thereafter.
A Twist in the Tale: Internal Takeover or Strategic Exit?
On March 20, 2025, BlackLock’s DLS was defaced, allegedly by DragonForce. The defacement included leaks of configuration files and internal chat logs, suggesting another actor had exploited the same or similar vulnerability. Just a day earlier, the Mamona leak site had met a similar fate.
This sequence of events has led to speculation regarding a possible takeover. Resecurity hypothesizes that DragonForce may have absorbed BlackLock's infrastructure and affiliate network as part of a broader ransomware market consolidation. The operator “$$$” showed no public reaction to these incidents, suggesting he may have anticipated the compromise and opted for a silent exit.
Conclusion
The breach of BlackLock's infrastructure underscores the growing capabilities of threat intelligence firms in countering sophisticated cybercrime operations. Through the exploitation of a single misconfiguration, researchers managed to unveil the inner workings of a powerful ransomware group, potentially leading to its downfall or rebranding. While the full implications of this breach continue to unfold, it marks a decisive win for cybersecurity professionals and a warning to other cybercriminals: even the hackers can be hacked.
0 Comments