Blacklock Ransomware Infrastructure Breached, Revealing Planned Attacks

Resecurity, a prominent cybersecurity firm, has successfully exploited a vulnerability in the Data Leak Site (DLS) of Blacklock Ransomware, gaining unprecedented access to the group’s infrastructure.

This breach, occurring during the winter of 2024-2025, allowed researchers to collect substantial intelligence about the ransomware group’s activities and planned attacks.

Exploitation of Local File Include Vulnerability

The compromise was achieved through the exploitation of a Local File Include (LFI) vulnerability present in the DLS hosted on the TOR network.

This security flaw enabled Resecurity’s analysts to acquire critical artifacts related to the threat actors’ network infrastructure, including logs, associated file-sharing accounts, and timestamps of logins.

Uncovering Planned Attacks and Victim Data

Leveraging the gained access, Resecurity was able to collect information about planned data publications from victims up to 13 days before the threat actors intended to release it.

In one instance, the firm alerted the Canadian Centre for Cyber Security about an impending attack on a Canada-based victim nearly two weeks before the planned data leak.

The breach also revealed the group’s use of MEGA, a popular file-sharing service, for storing and transferring stolen data.

Researchers identified at least eight email accounts associated with MEGA folders managed by Blacklock Ransomware, providing insight into their data exfiltration methods.

The investigation uncovered potential links between Blacklock Ransomware and other cybercriminal groups.

Code similarities were found between Blacklock and DragonForce ransomware, suggesting possible cooperation or a transition of ownership.

This discovery highlights the dynamic nature of the ransomware ecosystem and the potential for market consolidation among cybercriminal groups.

The Blacklock Ransomware DLS was defaced and technically liquidated, with configuration files being publicly disclosed.

This event, along with the compromise of the related Mamona ransomware project, suggests a significant disruption to the group’s operations and a potential shift in the ransomware landscape.

This breach of Blacklock Ransomware’s infrastructure provides valuable insights into the operations of ransomware groups and demonstrates the effectiveness of proactive cybersecurity measures in combating these threats.

As the ransomware ecosystem continues to evolve, such intelligence-gathering efforts play a crucial role in understanding and mitigating cyber risks.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.