Security researchers have successfully infiltrated the infrastructure of the BlackLock ransomware group by exploiting a vulnerability in their data leak site. The operation, conducted by Resecurity, revealed sensitive operational details and preemptively protected potential victims across multiple countries.
Technical Breakdown of the Compromise
Resecurity identified a Local File Include (LFI) vulnerability in BlackLock’s Data Leak Site (DLS) that allowed access to internal systems. This flaw exposed clearnet IP addresses, server credentials, and detailed victim information. Researchers were able to access eight MEGA storage accounts containing stolen data and identified 46 confirmed victims across 14 countries, including high-value targets in healthcare, defense, and government sectors.
The vulnerability provided visibility into BlackLock’s operational timeline and affiliate communications. According to Resecurity’s report, this included server commands, victim negotiation timelines, and credentials stored in cleartext. The security firm used this access to warn potential Canadian and French targets before their data could be published.
Gang Infrastructure and Connections
Analysis of the compromised systems revealed that BlackLock is a rebrand of the El Dorado ransomware operation. Evidence also suggests possible infrastructure sharing or takeover attempts by the DragonForce ransomware group. The exposed logs showed signs of internal distrust among affiliates following the security breach.
Security Affairs confirmed that the LFI exploitation led to IP address exposure of BlackLock’s operational infrastructure. Cybernews further reported ties between BlackLock and previous El Dorado operations through analysis of the leaked MEGA account credentials.
Impact and Industry Response
The breach has significantly impacted BlackLock’s operations, with researchers describing their reputation as “critically undermined.” The Register highlighted this case as an example of effective “proactive hacking” conducted within legal boundaries. The operation demonstrated how ransomware groups’ own operational security failures can be turned against them.
Key findings from the incident include:
- 46 confirmed victims across 14 countries
- 8 exposed MEGA storage accounts containing stolen data
- Cleartext credentials and unsecured operational logs
- Preemptive warnings sent to potential targets
Security Implications and Recommendations
This incident provides valuable intelligence about ransomware group operations and their vulnerabilities. Organizations can use this information to better understand ransomware group tactics and improve defensive measures. Monitoring for connections to the exposed infrastructure and credentials can help identify potential compromises.
The case also raises questions about the legal and ethical boundaries of counter-ransomware operations. While successful in this instance, security professionals should carefully consider jurisdictional limitations and potential collateral effects before engaging in similar activities.
As ransomware groups frequently rebrand after operational setbacks, security teams should monitor for new campaigns that may share infrastructure or tactics with BlackLock. The potential DragonForce connection suggests possible ongoing competition or cooperation between ransomware operations that warrants further investigation.
References
- “BlackLock Ransomware: A Late Holiday Gift”, Resecurity, 2025.
- “BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability”, The Hacker News, March 2025.
- “Security researchers hack BlackLock ransomware gang”, IT Pro, 2025.
- “BlackLock ransomware targeted by cybersecurity firm”, Security Affairs, 2025.
- “Resecurity hacks major ransomware gang BlackLock”, Cybernews, 2025.
- “Security shop pwns ransomware gang”, The Register, March 2025.
