BlackLock

BlackLock is a ransomware-as-a-service (RaaS) operation and malware family also known historically as El Dorado/Eldorado, with reporting indicating a later rebrand to GLOBAL GROUP. It was first observed in March 2024 and rebranded from El Dorado to BlackLock in late 2024. The group recruits affiliates on the Russian-language RAMP forum and has also sought traffers and initial access brokers to scale operations. Reporting links the operator alias "$$$" to BlackLock and related branding.

The ransomware is written in Go and is cross-platform, with capability to target Windows, Linux, and VMware ESXi environments. It has been described as using double extortion, combining data theft with file encryption and threats to publish stolen data on its leak site. Technical reporting states BlackLock can scan and access SMB shares using go-smb2, supports numerous command-line options controlling encryption scope and behavior, and in some samples includes ESXi-related functionality. In ESXi-focused reporting, BlackLock tradecraft included enumerating /vmfs/volumes/, killing running VMs with esxcli vm process kill, encrypting .vmdk and .vmx files, and dropping ransom notes such as HOW_RETURN_YOUR_DATA.TXT. It has also been reported to delete backups or recovery artifacts, including VSS shadow copies and Recycle Bin contents, to inhibit recovery.

Encryption details reported for BlackLock include use of ChaCha20/XChaCha20 for file encryption with per-file random keys and nonces, and RSA-OAEP or ECDH-derived shared-key protection for wrapped key material depending on the analysis. Metadata and key material are appended to encrypted files, and files may be renamed with random extensions. The malware has been described as custom-developed rather than built from leaked ransomware builders.

BlackLock has targeted organizations in the United States and Europe, with additional victims reported in South Korea and Japan. Reported victim sectors include healthcare, manufacturing, education and research, government, public institutions, consulting, transportation, construction, technology, academia, defense, religious organizations, IT/MSP vendors, and other enterprises. It has also been cited among ransomware variants frequently observed targeting European financial institutions.

Multiple reports describe BlackLock’s rapid growth in late 2024 and early 2025, including a 1,425% increase in leak-site posts in Q4 2024 and rankings among the more prominent ransomware variants by early 2025. Its leak site was reportedly designed to hinder downloading of leaked data, increasing pressure on victims.

BlackLock has also been notable for ecosystem overlap and conflict. Reporting links it to Mamona and states BlackLock was later rebranded to Mamona or associated with a new Mamona project, while other reporting says DragonForce defaced BlackLock’s leak site. Researchers also reported compromise of BlackLock’s TOR-based data leak site via misconfiguration and an LFI vulnerability, exposing infrastructure details, credentials, logs, MEGA-based staging workflows, and other operational data.

High-confidence indicators and artifacts directly mentioned in reporting include ransom note HOW_RETURN_YOUR_DATA.TXT; MD5 f392807da3ee1f3e9702ce5fa91d418d; SHA256 9b2637b8fefeedf8dca8a0ace491de05b6d937ea7463b48562cd1a0f25abb9f5 for a malicious FAKE_CAPTCHA.lnk; SHA256 9d7e12eae6b593e582d8b2c3af3154a989977309dcffc7a85aedf0e047d4ca0b for a loader heuristically detected as Fragtor; associated domains paksecurity[.]org and techoption[.]org; IPs 104[.]21[.]25[.]86 and 23[.]62[.]168[.]204; and notable IPs 185.147.124.54 and 218.92.0.252 mentioned in infrastructure reporting. AhnLab detections cited for BlackLock activity include V3 signatures Ransom/MDP.Behavior.M2649, Ransom/MDP.Decoy.M1171, Trojan/Win.Generic.C5775331, and EDR detection Behavior/DETECT.Event.M2662.