Skip to content
Ransomware group

BlackLock

BlackLock is a ransomware-as-a-service (RaaS) operation first observed in March 2024.

Profile source: Mallory opens in a new tab

BlackLock

Family profile

BlackLock is a ransomware-as-a-service (RaaS) operation first observed in March 2024. It initially operated as El Dorado/Eldorado, later rebranded to BlackLock in late 2024, and some reporting links it to a later GLOBAL GROUP rebrand; content also links the operator alias "$$$" to BlackLock, El Dorado, and Mamona. The group is associated with Russian-speaking cybercriminals and has advertised on the RAMP forum, including affiliate recruitment and rules prohibiting targeting of BRICS and CIS countries. Reporting describes aggressive recruitment of affiliates, traffers, developers, and initial access brokers, with revenue shares up to 85% for larger ransom payments.

BlackLock uses double extortion, stealing data and encrypting files before threatening publication on its data leak site. The ransomware is written in Go and is described as cross-platform, targeting Windows, Linux, and VMware ESXi environments. Technical reporting states it can scan and access SMB shares using go-smb2, supports numerous command-line options controlling encryption scope, timing, threading, network behavior, and ESXi-related execution, and in some samples defaults to encrypting the full local drive if no options are supplied. It drops ransom notes such as HOW_RETURN_YOUR_DATA.TXT, renames files with random extensions, and deletes recovery artifacts including Volume Shadow Copies and Recycle Bin contents. Encryption has been described as using XChaCha20/ChaCha20 with per-file random keys and nonces, with appended encrypted metadata protected via ECDH-derived shared keys and secretbox; other reporting describes ChaCha20 or XChaCha20 with RSA-OAEP for key wrapping.

Observed and reported tradecraft includes interest in VMware ESXi and broader virtualization-focused attacks. One reported ESXi playbook includes enumerating /vmfs/volumes/, killing running VMs with esxcli vm process kill, and encrypting .vmdk and .vmx files. Related reporting ties analyzed artifacts to a likely BlackLock affiliate intrusion chain involving a malicious LNK file disguised as FAKE_CAPTCHA.lnk (SHA256: 9b2637b8fefeedf8dca8a0ace491de05b6d937ea7463b48562cd1a0f25abb9f5) and a second-stage loader heuristically detected as Fragtor (SHA256: 9d7e12eae6b593e582d8b2c3af3154a989977309dcffc7a85aedf0e047d4ca0b). Those artifacts were associated with paksecurity[.]org and techoption[.]org, with sandbox-linked IPs including 104[.]21[.]25[.]86 and 23[.]62[.]168[.]204. The LNK was described as a social-engineering vector likely delivered via phishing or fake support portals, triggering hidden PowerShell or command-line execution and living-off-the-land binaries to drop the next-stage loader; the loader was described as establishing persistence via scheduled tasks and beaconing to the identified domains.

Victimology in the content spans the United States, Europe, South Korea, Japan, and additional countries, with affected sectors including government, healthcare, manufacturing, education and research, consulting, transportation, construction, public institutions, technology, academia, defense, religious organizations, and IT/MSP vendors. BlackLock was also listed among ransomware variants frequently observed targeting European financial institutions. Multiple reports state the group’s leak-site activity surged sharply in late 2024, including a cited 1,425% quarter-on-quarter increase in Q4 2024.

The content also states BlackLock’s TOR-based data leak site was compromised through misconfiguration and a Local File Inclusion vulnerability, exposing internal information including configuration files, credentials, logs, infrastructure details, MEGA-based staging workflows, and chat logs. Reporting says DragonForce defaced the BlackLock leak site, and several sources note overlapping code structures and nearly identical ransom notes between BlackLock and DragonForce, although BlackLock is described as Go-based while DragonForce samples were described as C/C++ or VC++ based. Additional indicators mentioned in the content include MD5 f392807da3ee1f3e9702ce5fa91d418d, AhnLab detections Ransom/MDP.Behavior.M2649, Ransom/MDP.Decoy.M1171, Trojan/Win.Generic.C5775331, and EDR detection Behavior/DETECT.Event.M2662.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

1 total
  • f392807da3ee1f3e9702ce5fa91d418d

Reported operators

Threat actors

2 named in public reporting
DragonForce

analysis of the BlackLock ransomware ... revealed overlapping code structures with DragonForce ransomware, and the ransom notes were nearly identical.

$$$

Dubbed “BlackLock” (aka "El Dorado" or "Eldorado"), the ransomware-as-a-service (RaaS) outfit has existed since March 2024.

Exploited software

Vulnerabilities linked to BlackLock

2 CVEs

MITRE ATT&CK

BlackLock in ATT&CK

1 distinct techniques

Reporting

Research mentioning BlackLock

Apr 24
Detect

Analyzing GLOBAL GROUP (BlackLock) Artifacts | by SIMKRA | Apr, 2026 | Detect FYI

The investigation centered on two specific file hashes that I’ve found with the associated command-and-control domains that together have strong attribution to the BlackLock ransomware-as-a-service (RaaS) operation, also known historically as Eldorado or El Dorado and later rebranded as GLOBAL GROUP.

Apr 22
Help Net Security

Shadow AI, deepfakes, and supply chain compromise are rewriting the financial sector threat playbook - Help Net Security

Variants including Akira, Datacarry, and BlackLock were among the most frequently observed targeting European financial institutions.

Feb 4
Dark Reading

Ransomware Gang Goes Full 'Godfather' With Cartel

"...defaced the main leak site of rival BlackLock..."

Jan 19
Security Online Info

DragonForce: The Rise of a New "Ransomware Cartel" Built on LockBit and Conti DNA

The researchers uncovered evidence linking DragonForce to BlackLock... they defaced the BlackLock data leak site.

Jan 14
Medium S2wblog

Detailed Analysis of DragonForce Ransomware | by S2W | S2W BLOG | Medium

analysis of the BlackLock ransomware ... revealed overlapping code structures with DragonForce ransomware, and the ransom notes were nearly identical.

Jan 1
Sophos Threat Research

DragonForce targets rivals in a play for dominance | SOPHOS

The ‘cartel’ post coincided with defacements of leak sites operated by the BlackLock and Mamona ransomware groups.

Dec 10
Cso Online

Behind the breaches: Case studies that reveal adversary motives and modus operandi

BlackLock’s recent recruitment campaigns reveal an increasingly brazen and industrialized cybercrime ecosystem, one where threat actors no longer rely solely on stealth but openly solicit personnel to scale their operations. The group has been aggressively searching for “traffers,” a role dedicated to funneling compromised traffic and delivering ready-to-exploit victims.

Oct 23
Recorded Future

Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals

...conducting DDoS attacks and defacements against competitors’ extortion websites, such as BlackLock Blog and Mamona Blog. Both websites are variants of El Dorado Ransomware Group...

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.