BlackLock ransomware claims nearly 50 attacks in two months

A ransomware-as-a-service (RaaS) operation called ‘BlackLock’ has emerged as one of the more active ransomware operations of 2025.

According to the DarkAtlas’ research team, BlackLock is a rebrand of Eldorado, a moderately successful ransomware operation that emerged in March 2024, targeting Windows systems and VMware ESXi virtual machines.

The BlackLock operation uses a double-extortion model, which consists of stealing data from compromised organizations and encrypting the original files. Threats to leak the stolen data is then used as leverage to get a company to pay a ransom.

BlackLock's extortion page
BlackLock’s extortion page
Source: BleepingComputer

DarkAtlas reports that the threat actors have performed 48 attacks on organizations across multiple sectors from January until February 2025.

BleepingComputer noticed that BlackLock’s extortion website only includes full data leaks. This indicates that BlackLock attempts to extort breached company privately on a negotiation site and only leaks data when that fails.

From Eldorado to BlackLock

BlackLock uses the same technical foundation as Eldorado, meaning it is a Go-based cross-platform (Windows and Linux) ransomware using ChaCha20 for file encryption and RSA-OAEP for key encryption.

DarkAtlas says BlackLock features improved encryption speeds compared to Eldorado, which gives it an operational advantage.

Encrypted files are renamed with random filenames and file type extensions, while a ransom note titled “HOW_RETURN_YOUR_DATA.TXT” is created on impacted directories.

Files encrypted by BlackLock
Files encrypted by BlackLock
Source: DarkAtlas

Like Eldorado, BlackLock’s operators promote the project on underground forums like RAMP, seeking initial network access collaborations, ransomware affiliates, and network penetration testers.

Threat actors promoting the BlackLock RaaS on underground forums
Threat actors promoting the BlackLock RaaS on underground forums
Source: DarkAtlas

The researchers infiltrated the RaaS operation and confirmed that its representatives speak Russian.

There are multiple potential reasons for ransomware operations to rebrand, including to evade pressure from law enforcement, disrupt researchers’ attribution efforts, or use a fresh identity to attract new affiliates and collaborators.

The exact reasons for Eldorado getting rebranded to BlackLock are unclear, but the important takeaway is that the ransomware operation is very active and dangerous.

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Source link