Inside Blacklock: The Raas Group Reshaping Cybercrime

BlackLock, previously operating under the alias Eldorado, has rapidly emerged as one of the most significant and active ransomware groups within the cybersecurity landscape. First observed in March 2024, BlackLock is primarily focused on a Ransomware-as-a-Service (RaaS) model, offering its custom-built ransomware to affiliates and other cybercriminals.

As of late 2024, BlackLock’s activity exploded by an alarming 1,425%, positioning it as one of the top ransomware operators globally. This explosive growth has placed it at the forefront of emerging cyber threats, with potential to become the most prolific ransomware group in 2025.Initial Access

Severity Level: High

THREAT DETAILS

1. Initial Access

• Penetration Testing: BlackLock recruits skilled penetration testers through underground forums. These testers help find and exploit vulnerabilities in targeted systems to gain initial access.
• Traffers: BlackLock also recruits traffers who drive malicious traffic to targeted websites, helping the group establish initial access to victim networks.
• Collaboration with Initial Access Brokers (IABs): BlackLock often works with IABs, who provide access to victim systems, such as domain administrator credentials or access to critical services. This bypasses the need for BlackLock to perform initial access themselves, speeding up their attack cycle.

2. Exploitation and Lateral Movement

• BlackLock uses Pass-the-Hash (PtH) techniques to escalate privileges and move laterally within the compromised network. Once inside, the group gains access to multiple systems using stolen credentials (NTLM hashes).
• Exploitation of ESXi Hosts: BlackLock has targeted VMware ESXi servers, exploiting weak or default accounts to gain privileged access. Once inside the ESXi environment, attackers move laterally to compromise additional machines.
• To prevent the victim from using backups to recover data, BlackLock deletes shadow copies of files. This makes data recovery difficult and forces the victim to pay the ransom for data decryption.

3. Encryption of Data

• Once BlackLock has gained the necessary access and performed lateral movement, the ransomware is deployed across the network. It encrypts files using ChaCha20 encryption for the files themselves and RSA-OAEP encryption for the keys, making decryption difficult without the ransom payment.
• While encrypting data, BlackLock also exfiltrates sensitive files, such as financial data, proprietary information, or intellectual property.
• After encrypting data and exfiltrating sensitive information, BlackLock demands a ransom for the decryption key and to prevent the public release of the stolen data.

4. Collaboration with Other Threat Actors

• BlackLock has been seen collaborating with other ransomware groups, including Dragonforce and Lynx, to exchange tools and techniques. This collaboration allows BlackLock to test and improve its malware capabilities, keeping them ahead of competitors.

5. Hacktivism

• Some of BlackLock’s targets reflect a hacktivist influence, where geopolitical events or cybercriminal ideologies motivate the attacks. This trend is becoming more common in targeted sectors like construction and government.

6. Leak Site Design

BlackLock’s leak site is sophisticated and designed to frustrate investigators. It includes features such as:

• Query Detection: The leak site is configured to detect and block quick query requests made by investigators, thereby slowing down analysis efforts.
• Bogus File Responses: The leak site responds with bogus files if investigators try to access stolen data too quickly, forcing them to download files one-by-one, which is both time-consuming and costly.

7. Emerging Trends

• Evidence suggests that BlackLock may pivot towards exploiting vulnerabilities in Microsoft Entra Connect, a move that would broaden its attack surface. By compromising synchronization flows between on-premises and cloud environments, BlackLock could further escalate its attack capabilities.

Recommendations:

1. Ensure that all systems, especially VMware ESXi hosts, are regularly patched and updated to mitigate known vulnerabilities.
2. Enforce the use of multi-factor authentication (MFA) for all systems, especially those that are accessible remotely, such as VPNs, RDP, and web portals. Additionally, ensure that default accounts are disabled or heavily secured.
3. Turn off unused management services such as vMotion, Simple Network Management Protocol (SNMP), and redundant HTTPS interfaces to minimize attack surfaces. While these services help manage or monitor ESXi hosts, leaving them active unnecessarily can create vulnerabilities. Additionally, enable Secure Shell (SSH) only when needed and disable it immediately after use.
4. To complicate BlackLock’s ability to exploit weak interfaces, configure ESXi hosts to allow management exclusively through vCenter. Lockdown mode prevents direct connections to ESXi hosts, such as via SSH, unless explicitly allowed during emergencies. Routing all interactions through vCenter Server significantly reduces the risk of unauthorized privilege escalation and unmonitored actions.
5. Use identity-aware firewalls or strict access control lists (ACLs) to block BlackLock from accessing ESXi hosts or moving laterally. For added security, only allow access through secure jump servers—dedicated systems used to connect to critical infrastructure—or out-of-band management systems on isolated networks.
6. Since BlackLock is likely to target Entra Tenant vulnerabilities in the future, follow the below recommendations to get ahead of the risk:
7. Customize Entra Connect sync rules to turn off unnecessary flows, especially for sensitive attributes like msDS-KeyCredentialLink, to stop BlackLock from abusing them to access accounts.
8. Enforce administrator approval for key registrations and regularly audit the msDS-KeyCredentialLink attribute for unexpected changes to block malicious keys.
9. Limit key registration to compliant devices and apply location- or risk-based restrictions to prevent BlackLock from registering rogue keys or performing unauthorized syncs.
10. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/4c38159e8de49b938028b5fcb24a96c85aebb240adbbf06d8a50dde53dbde91e/iocs
• https://www.reliaquest.com/blog/threat-spotlight-inside-the-worlds-fastest-rising-ransomware-operator-blacklock/
• https://darkatlas.io/blog/blacklock-ransomware-a-growing-threat-across-industries
• https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/el-dorado
• https://x.com/RakeshKrish12/status/1800479631507915095

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.