In what’s an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server.
The flaw concerns a “certain misconfiguration in the Data Leak Site (DLS) of BlackLock Ransomware, leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information,” the company said.
It described the acquired history of commands as one of the biggest operational security (OPSEC) failures of BlackLock ransomware.
BlackLock is a rebranded version of another ransomware group known as Eldorado. It has since become one of the most active extortion syndicates in 2025, heavily targeting technology, manufacturing, construction, finance, and retail sectors. As of last month, it has listed 46 victims on its site.
The impacted organizations are located in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, the Netherlands, Spain, the United Arab Emirates, the United Kingdom, and the United States.
The group, which announced the launch of an underground affiliate network in mid-January 2025, has also been observed actively recruiting traffers to facilitate early stages of the attacks by directing victims to malicious pages that deploy malware capable of establishing initial access to compromised systems.
The vulnerability identified by Resecurity is a local file inclusion (LFI) bug, essentially tricking the web server into leaking sensitive information by performing a path traversal attack, including the history of commands executed by the operators on the leak site.
Some of notable findings are listed below –
- The use of Rclone to exfiltrate data to the MEGA cloud storage service, in some cases even installing the MEGA client directly on victim systems
- The threat actors have created at least eight accounts on MEGA using disposable email addresses created via YOPmail (e.g., “zubinnecrouzo-6860@yopmail.com”) to store the victim data
- A reverse engineering of the ransomware has uncovered source code and ransom note similarities with another ransomware strain codenamed DragonForce, which has targeted organizations in Saudi Arabia (While DragonForce is written in Visual C++, BlackLock uses Go)
- “$$$,” one of the main operators of BlackLock, launched a short-lived ransomware project called Mamona on March 11, 2025
In an intriguing twist, BlackLock’s DLS was defaced by DragonForce on March 20 – likely by exploiting the same LFI vulnerability (or something similar) – with configuration files and internal chats leaked on its landing page. A day prior, the DLS of Mamona ransomware was also defaced.
“It is unclear if BlackLock Ransomware (as a group) started cooperating with DragonForce Ransomware or silently transitioned under the new ownership,” Resecurity said. “The new masters likely took over the project and their affiliate base because of ransomware market consolidation, understanding their previous successors could be compromised.”
“The key actor ‘$$$’ did not share any surprise after incidents with BlackLock and Mamona Ransomware. It is possible the actor was fully aware that his operations could be already compromised, so the silent ‘exit’ from the previous project could be the most rational option.”
