Sunday, May 25, 2025
HomeCyber AttackBlacklock Ransomware Infrastructure Breached, Revealing Planned Attacks

Blacklock Ransomware Infrastructure Breached, Revealing Planned Attacks

Published on

SIEM as a Service

Follow Us on Google News

Resecurity, a prominent cybersecurity firm, has successfully exploited a vulnerability in the Data Leak Site (DLS) of Blacklock Ransomware, gaining unprecedented access to the group’s infrastructure.

This breach, occurring during the winter of 2024-2025, allowed researchers to collect substantial intelligence about the ransomware group’s activities and planned attacks.

Exploitation of Local File Include Vulnerability

The compromise was achieved through the exploitation of a Local File Include (LFI) vulnerability present in the DLS hosted on the TOR network.

- Advertisement - Google News

This security flaw enabled Resecurity’s analysts to acquire critical artifacts related to the threat actors’ network infrastructure, including logs, associated file-sharing accounts, and timestamps of logins.

Uncovering Planned Attacks and Victim Data

Leveraging the gained access, Resecurity was able to collect information about planned data publications from victims up to 13 days before the threat actors intended to release it.

In one instance, the firm alerted the Canadian Centre for Cyber Security about an impending attack on a Canada-based victim nearly two weeks before the planned data leak.

The breach also revealed the group’s use of MEGA, a popular file-sharing service, for storing and transferring stolen data.

Researchers identified at least eight email accounts associated with MEGA folders managed by Blacklock Ransomware, providing insight into their data exfiltration methods.

Blacklock Ransomware
email account registered

The investigation uncovered potential links between Blacklock Ransomware and other cybercriminal groups.

Code similarities were found between Blacklock and DragonForce ransomware, suggesting possible cooperation or a transition of ownership.

This discovery highlights the dynamic nature of the ransomware ecosystem and the potential for market consolidation among cybercriminal groups.

The Blacklock Ransomware DLS was defaced and technically liquidated, with configuration files being publicly disclosed.

This event, along with the compromise of the related Mamona ransomware project, suggests a significant disruption to the group’s operations and a potential shift in the ransomware landscape.

This breach of Blacklock Ransomware’s infrastructure provides valuable insights into the operations of ransomware groups and demonstrates the effectiveness of proactive cybersecurity measures in combating these threats.

As the ransomware ecosystem continues to evolve, such intelligence-gathering efforts play a crucial role in understanding and mitigating cyber risks.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...