Warning Issued BlackLock Ransomware Operation After 1,425% Increase in Data Leaks
A new ransomware-as-a-service (RaaS) group has rapidly accelerated attacks and could well become the most dominant RaaS group in 2025. According to a recently published ReliaQuest Threat Spotlight on the group, BlackLock was first observed in March 2024, initially operating under the name El Dorado, before rebranding as BlackLock in late 2024. BlackLock has risen to become a major player in the RaaS ecosystem following a May 2024 recruitment drive to attract new affiliates. By the end of Q4, 2024, BlackLock was the 7th most prominent ransomware variant, rising to 5th in January 2025, after a 1,425% increase in posts on its data leak site
A user on the ransomware-focused Russian-language forum RAMP with the moniker $$$ has been instrumental in building a positive reputation for the group, which now surpasses rival groups such as Lynx, Dragonforce, and RansomHub on RAMP. In January 2025, BlackLock ranked 3rd in terms of post count on RAMP. By comparison, BlackLock had 9X as many posts on RAMP as the current most prominent ransomware group, RansomHub.
Ransomware groups often use RAMP to attract new affiliates to their operations and through extensive interactions on RAMP, Blacklock has earned a good reputation among the ransomware community. The RAMP activity has helped the group not only attract new affiliates to conduct attacks, but also attract developers, traffers – individuals who direct user traffic to malicious content such as malware – and initial access brokers (IACs), which are not targeted on RAMP by groups such as Lynx, Dragonforce, and RansomHub. As ReliaQuest explained, many other RaaS groups rely on their affiliates to gain initial access to victims’ networks. By targeting traffers and IACs, BlackLock may be conducting some attacks directly without any affiliate involvement. The researchers suggest this aggressive recruitment strategy could explain the rapid rise in prominence in 2024.
Like many other RaaS groups, Blacklock engages in double extortion tactics, stealing data in addition to encrypting files. The group then issues threats to publish the stolen data to pile pressure on victims to pay the ransom. Unlike many other RaaS groups, which use leaked ransomware builders, the group develops its own malware like top-tier groups such as Play. While using leaked ransomware builders is easy, it makes it far easier for security researchers to access and dissect the code and find weaknesses. By developing its own malware, it is much easier to prevent analysis by researchers. ReliaQuest also notes that the BlackLock data leak site is somewhat atypical and has been developed to prevent researchers and victims from downloading leaked data. ReliaQuest says this tactic is most likely used to get victims to pay the ransom quickly before they can assess the extent of data theft.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While the group does not appear to target healthcare providers based on the current listings on its data leak site, the leak site does include companies that may provide services to healthcare organizations, and it is unclear what direction the group will take in the future. One possible tactic is the targeting of Microsoft’s Entra Connect. BlackLock has shown interest in leveraging Entra Connect’s capabilities to compromise victims’ on-premises environments without triggering security alerts.
“BlackLock’s rise has been both swift and strategic, targeting organizations across a wide range of sectors and geographies,” explained ReliaQuest. “If its current trajectory continues, we predict it could claim the top spot as the most active ransomware group in 2025.”
