Thursday, May 8, 2025
HomeCyber AttackBlacklock Ransomware Infrastructure Breached, Revealing Planned Attacks

Blacklock Ransomware Infrastructure Breached, Revealing Planned Attacks

Published on

SIEM as a Service

Follow Us on Google News

Resecurity, a prominent cybersecurity firm, has successfully exploited a vulnerability in the Data Leak Site (DLS) of Blacklock Ransomware, gaining unprecedented access to the group’s infrastructure.

This breach, occurring during the winter of 2024-2025, allowed researchers to collect substantial intelligence about the ransomware group’s activities and planned attacks.

Exploitation of Local File Include Vulnerability

The compromise was achieved through the exploitation of a Local File Include (LFI) vulnerability present in the DLS hosted on the TOR network.

- Advertisement - Google News

This security flaw enabled Resecurity’s analysts to acquire critical artifacts related to the threat actors’ network infrastructure, including logs, associated file-sharing accounts, and timestamps of logins.

Uncovering Planned Attacks and Victim Data

Leveraging the gained access, Resecurity was able to collect information about planned data publications from victims up to 13 days before the threat actors intended to release it.

In one instance, the firm alerted the Canadian Centre for Cyber Security about an impending attack on a Canada-based victim nearly two weeks before the planned data leak.

The breach also revealed the group’s use of MEGA, a popular file-sharing service, for storing and transferring stolen data.

Researchers identified at least eight email accounts associated with MEGA folders managed by Blacklock Ransomware, providing insight into their data exfiltration methods.

Blacklock Ransomware
email account registered

The investigation uncovered potential links between Blacklock Ransomware and other cybercriminal groups.

Code similarities were found between Blacklock and DragonForce ransomware, suggesting possible cooperation or a transition of ownership.

This discovery highlights the dynamic nature of the ransomware ecosystem and the potential for market consolidation among cybercriminal groups.

The Blacklock Ransomware DLS was defaced and technically liquidated, with configuration files being publicly disclosed.

This event, along with the compromise of the related Mamona ransomware project, suggests a significant disruption to the group’s operations and a potential shift in the ransomware landscape.

This breach of Blacklock Ransomware’s infrastructure provides valuable insights into the operations of ransomware groups and demonstrates the effectiveness of proactive cybersecurity measures in combating these threats.

As the ransomware ecosystem continues to evolve, such intelligence-gathering efforts play a crucial role in understanding and mitigating cyber risks.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...