Md5
1 totalf392807da3ee1f3e9702ce5fa91d418d
BlackLock is a ransomware-as-a-service (RaaS) operation first observed in March 2024.
Profile source: Mallory opens in a new tabBlackLock
BlackLock is a ransomware-as-a-service (RaaS) operation first observed in March 2024. It initially operated as El Dorado/Eldorado, later rebranded to BlackLock in late 2024, and some reporting links it to a later GLOBAL GROUP rebrand; content also links the operator alias "$$$" to BlackLock, El Dorado, and Mamona. The group is associated with Russian-speaking cybercriminals and has advertised on the RAMP forum, including affiliate recruitment and rules prohibiting targeting of BRICS and CIS countries. Reporting describes aggressive recruitment of affiliates, traffers, developers, and initial access brokers, with revenue shares up to 85% for larger ransom payments.
BlackLock uses double extortion, stealing data and encrypting files before threatening publication on its data leak site. The ransomware is written in Go and is described as cross-platform, targeting Windows, Linux, and VMware ESXi environments. Technical reporting states it can scan and access SMB shares using go-smb2, supports numerous command-line options controlling encryption scope, timing, threading, network behavior, and ESXi-related execution, and in some samples defaults to encrypting the full local drive if no options are supplied. It drops ransom notes such as HOW_RETURN_YOUR_DATA.TXT, renames files with random extensions, and deletes recovery artifacts including Volume Shadow Copies and Recycle Bin contents. Encryption has been described as using XChaCha20/ChaCha20 with per-file random keys and nonces, with appended encrypted metadata protected via ECDH-derived shared keys and secretbox; other reporting describes ChaCha20 or XChaCha20 with RSA-OAEP for key wrapping.
Observed and reported tradecraft includes interest in VMware ESXi and broader virtualization-focused attacks. One reported ESXi playbook includes enumerating /vmfs/volumes/, killing running VMs with esxcli vm process kill, and encrypting .vmdk and .vmx files. Related reporting ties analyzed artifacts to a likely BlackLock affiliate intrusion chain involving a malicious LNK file disguised as FAKE_CAPTCHA.lnk (SHA256: 9b2637b8fefeedf8dca8a0ace491de05b6d937ea7463b48562cd1a0f25abb9f5) and a second-stage loader heuristically detected as Fragtor (SHA256: 9d7e12eae6b593e582d8b2c3af3154a989977309dcffc7a85aedf0e047d4ca0b). Those artifacts were associated with paksecurity[.]org and techoption[.]org, with sandbox-linked IPs including 104[.]21[.]25[.]86 and 23[.]62[.]168[.]204. The LNK was described as a social-engineering vector likely delivered via phishing or fake support portals, triggering hidden PowerShell or command-line execution and living-off-the-land binaries to drop the next-stage loader; the loader was described as establishing persistence via scheduled tasks and beaconing to the identified domains.
Victimology in the content spans the United States, Europe, South Korea, Japan, and additional countries, with affected sectors including government, healthcare, manufacturing, education and research, consulting, transportation, construction, public institutions, technology, academia, defense, religious organizations, and IT/MSP vendors. BlackLock was also listed among ransomware variants frequently observed targeting European financial institutions. Multiple reports state the group’s leak-site activity surged sharply in late 2024, including a cited 1,425% quarter-on-quarter increase in Q4 2024.
The content also states BlackLock’s TOR-based data leak site was compromised through misconfiguration and a Local File Inclusion vulnerability, exposing internal information including configuration files, credentials, logs, infrastructure details, MEGA-based staging workflows, and chat logs. Reporting says DragonForce defaced the BlackLock leak site, and several sources note overlapping code structures and nearly identical ransom notes between BlackLock and DragonForce, although BlackLock is described as Go-based while DragonForce samples were described as C/C++ or VC++ based. Additional indicators mentioned in the content include MD5 f392807da3ee1f3e9702ce5fa91d418d, AhnLab detections Ransom/MDP.Behavior.M2649, Ransom/MDP.Decoy.M1171, Trojan/Win.Generic.C5775331, and EDR detection Behavior/DETECT.Event.M2662.
Ransomware.live
Ransomware.live
f392807da3ee1f3e9702ce5fa91d418dReported operators
analysis of the BlackLock ransomware ... revealed overlapping code structures with DragonForce ransomware, and the ransom notes were nearly identical.
Dubbed “BlackLock” (aka "El Dorado" or "Eldorado"), the ransomware-as-a-service (RaaS) outfit has existed since March 2024.
Exploited software
MITRE ATT&CK
Reporting
The investigation centered on two specific file hashes that I’ve found with the associated command-and-control domains that together have strong attribution to the BlackLock ransomware-as-a-service (RaaS) operation, also known historically as Eldorado or El Dorado and later rebranded as GLOBAL GROUP.
Variants including Akira, Datacarry, and BlackLock were among the most frequently observed targeting European financial institutions.
"...defaced the main leak site of rival BlackLock..."
The researchers uncovered evidence linking DragonForce to BlackLock... they defaced the BlackLock data leak site.
analysis of the BlackLock ransomware ... revealed overlapping code structures with DragonForce ransomware, and the ransom notes were nearly identical.
The ‘cartel’ post coincided with defacements of leak sites operated by the BlackLock and Mamona ransomware groups.
BlackLock’s recent recruitment campaigns reveal an increasingly brazen and industrialized cybercrime ecosystem, one where threat actors no longer rely solely on stealth but openly solicit personnel to scale their operations. The group has been aggressively searching for “traffers,” a role dedicated to funneling compromised traffic and delivering ready-to-exploit victims.
...conducting DDoS attacks and defacements against competitors’ extortion websites, such as BlackLock Blog and Mamona Blog. Both websites are variants of El Dorado Ransomware Group...
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.