BlackLock

BlackLock is a ransomware-as-a-service (RaaS) group first observed in March 2024. It initially operated under the name El Dorado (also written Eldorado) and rebranded to BlackLock in late 2024, around September according to reporting in the content. The group is also tied in reporting to Mamona, and later reporting linked Mamona and BlackLock to the June 2025 "GLOBAL GROUP" brand. One operator alias, "$$$", is described as linked to BlackLock, El Dorado, and Mamona. BlackLock conducts double extortion, stealing data and encrypting victim systems while threatening public disclosure through its data leak site. Reporting in the content describes BlackLock as developing its own ransomware rather than relying on leaked builders. The malware is written in Go and is described as cross-platform, targeting Windows and Linux, with ESXi targeting referenced as part of its capability set. In Windows environments it can scan and access SMB shares using go-smb2. The ransomware supports numerous command-line options controlling encryption scope, timing, threading, network behavior, and prioritization. It uses XChaCha20 for file encryption with per-file random keys and nonces, appends encrypted metadata to files, drops the ransom note HOW_RETURN_YOUR_DATA.TXT, renames files with random extensions, and deletes shadow copies and Recycle Bin contents to hinder recovery. The group has been described as highly active across multiple sectors and countries. Content cites victims in sectors including public institutions, consulting, education and research, transportation, construction, manufacturing, electronics, academia, religious organizations, defense, healthcare, technology, IT/MSP vendors, and government agencies. Countries explicitly mentioned in the content include the United States, South Korea, Japan, Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, Spain, the Netherlands, the United Kingdom, and the UAE. Most confirmed victims were described in one report as US-based. BlackLock has been notable for aggressive recruitment and ecosystem building. Reporting says it promoted itself on the Russian-language RAMP forum, recruited affiliates beginning in 2024, and sought not only affiliates but also developers, traffers, and initial access brokers. Recruitment campaigns explicitly searched for traffers to funnel compromised traffic and deliver ready-to-exploit victims. Content also states BlackLock affiliate rules prohibited targeting BRICS and CIS countries, and that communications used Cyberfear.com email and TOX IM. Several reports in the content describe BlackLock's infrastructure and leak site as technically notable. Resecurity reported identifying a misconfiguration and Local File Inclusion vulnerability in BlackLock's TOR-based data leak site, allegedly exposing server-side files, credentials, infrastructure details, logs, and MEGA-based data staging workflows. The same reporting states BlackLock used MEGA as a primary mechanism for stolen-data transfer and storage and used rclone to move data between MEGA accounts and the leak site. BlackLock was also the target of attacks by rival ransomware group DragonForce in 2025. Multiple sources in the content state DragonForce defaced BlackLock's leak site, leaked some internal communications, and exploited a misconfiguration and LFI vulnerability to collect information including credentials. Reporting further states DragonForce absorbed or displaced BlackLock as part of a broader cartel-style consolidation. More recent content characterizes BlackLock as having faded significantly from prominence following this brief but technically notable emergence.