In a significant blow to the Blacklock ransomware group, cybersecurity firm Resecurity exploited a vulnerability in the group’s Data Leak Site (DLS), gaining access to its infrastructure during the winter of 2024-2025. This breach provided unprecedented visibility into the group’s operations, including planned attacks and victim data. The findings highlight both the group’s rapid growth and operational security failures that led to its exposure.
TL;DR: Key Findings
- Group Profile: Blacklock (aka “El Dorado”) surged 1,425% in activity in Q4 2024, targeting Windows, Linux, and ESXi systems.
- Breach Details: Resecurity leveraged a Local File Include (LFI) flaw in the TOR-hosted DLS, exposing clearnet IPs, server logs, and MEGA account credentials.
- Impact: 7TB of stolen data intercepted; victims in Canada, France, and the U.S. (including the City of Pensacola) were preemptively warned.
- Operational Flaws: Reused passwords, exposed server logs (
/etc/shadow,.bash_history), and clearnet IPs linked to Russia and China. - Connections: Ties to DragonForce ransomware and the defunct Mamona group; infrastructure later defaced by DragonForce in March 2025.
Infrastructure Compromise: The LFI Exploit
Resecurity identified a critical Local File Include (LFI) vulnerability in Blacklock’s TOR-hosted Data Leak Site, which allowed researchers to access internal files. The exposed data included:
- Server credentials: Files like
/etc/shadowand.bash_historyrevealed poor operational security, including reused passwords. - MEGA accounts: Eight email-linked accounts (e.g.,
sopajelessei-5488@yopmail[.]com) used for exfiltrating victim data. - Network logs: Clearnet IPs (
185.147.124.54,218.92.0.252) tied to command-and-control servers.
The breach enabled Resecurity to intercept 7TB of data, including files marked for future leaks. This allowed the firm to notify high-value targets, such as healthcare and government entities, before attacks were executed.
Operational Tactics and Victimology
Blacklock employed double extortion, encrypting systems and threatening data leaks unless ransoms were paid. The group targeted 46+ organizations across sectors, with notable victims including:
| Victim | Sector | Data Exfiltrated |
|---|---|---|
| City of Pensacola (USA) | Government | Internal documents, employee records |
| K-State Veterinary College (USA) | Education | Research data, student information |
| PHXCMP (Puerto Rico) | Critical Infrastructure | Operational schematics |
The group used MEGA’s cloud storage with installed clients on victim servers for stealthy uploads, bypassing traditional detection methods.
Connections and Collapse
Blacklock shared infrastructure and victims with the El Dorado group, and code analysis revealed overlaps with DragonForce ransomware. By March 2025, Blacklock’s DLS was defaced by DragonForce, suggesting a takeover of its affiliates. Operator “$$$” had previously hinted at shutting down operations, likely due to the exposure.
Relevance and Mitigation
The breach underscores the importance of proactive threat intelligence. Key takeaways for defenders include:
- Monitor for MEGA/rclone activity: Unusual cloud storage traffic may indicate exfiltration attempts.
- Patch LFI vulnerabilities: Regularly audit web applications for unsecured file inclusion.
- Review server logs: Blacklock’s exposure via
.bash_historyhighlights the risk of unsecured logs.
Conclusion
Resecurity’s breach of Blacklock’s infrastructure demonstrates how ransomware groups can be disrupted through offensive security research. While Blacklock’s operations have waned, the group’s tactics—particularly its exploitation of cloud storage for data exfiltration—remain a persistent threat. Organizations should prioritize logging hygiene and cloud activity monitoring to mitigate similar risks.
References
- Resecurity Report. [Accessed May 2025].
- GBHackers. [Accessed May 2025].
- ReliaQuest Analysis. [Accessed May 2025].
