In what is hacking hackers, hunting for threats managed to penetrate into the Internet infrastructure associated with a ransom group called Blacklock, revealing important information about their mode of operation.
Transfiguration stated that it determined the safety vulnerability on the data site (DLS), which is managed by an electronic crime group that made it possible to extract configuration files, credentials, as well as teams made on the server.
The downside concerns “a certain erroneous configuration on the data leak (DLS) BlackLock Ransomware, which leads to the IP -Drass Clearnet, related to their network infrastructure, which stands behind Tor Hidden services (posting them) and additional service information”, company ” – Note.
He described the acquired team history as one of the largest operative (OPSEC) Blacklock Ransomware.
Blacklock – this Rebranding version of another ransomware group known as Eldorado. Since then, it has become one of the most active extortion syndicates in 2025, which are actively oriented in technology, production, construction, financing and retail sectors. As of last month, he listed 46 victims on his site.
The affected organizations are located in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the United Kingdom and the USA.
The group, which announced the launch of an underground affiliate network in mid -January 2025, is also observed actively recruiting traders to facilitate the early stages of the attacks, sending victims to malicious pages that deploy malicious software capable of establishing original access systems.
The vulnerability revealed by rethinking is a local file inclusion (Well) Error, essentially deceiving the web -server to leak sensitive information by attacking the path, including the history of teams performed on the leak site.
Some noticeable conclusions are below –
- Using RCLONE for Exfiltrate data in mega -blocked storage service, in some cases even installing mega -client directly in the victim systems
- The actors threatened at least eight accounts on Mega using one-time email addresses created through Yopmail (eg, “Zubinnecrouzo-6860@yopmail.com”)
- The return engineer of ransoms revealed the source code and redemption. Note value with another required stamp codonomed Dragonhaving target Organizations in Saudi Arabia (while Dragonforce is written in Visual C ++, Blacklock uses Go)
- “$$$”, one of Blacklock’s main operators, launched a short -lived ransom project called Mamona on March 11, 2025
In the intriguing turn of DLS Blacklock was removed Dragonforce on March 20 – most likely using the same LFI vulnerability (or something similar) – with configuration files and internal chats that leak on his page. The day before, DLS with Mamona Ransomware was also lifted.
“It is unclear when Blacklock Ransomware (as a group) started cooperating with Dragonforce Ransomware or silently went under new property,” the rethinking said. “The new masters most likely have taken over the project and their partnership base from the consolidation of the extortion market, understanding their previous successors can be broken.”
“Key actor” $$$ “did not share any surprise after incidents from Blacklock and Mamona Ransomware. Perhaps the actor was fully aware that his operations could already be broken, so the silent” exit “from the previous project could be the most rational option.”
