BlackLock Ransomware Group Emerges as a Growing Threat

The BlackLock ransomware group, also known as El Dorado, has quickly become one of the most prolific operators in the “Ransomware as a Service” (RaaS) ecosystem. By the end of 2024, BlackLock ranked as the seventh most active ransomware group, with a 1,425% increase in activity from Q3. Experts predict that it could become the leading ransomware group by 2025.

Security firm ReliaQuest analyzed BlackLock’s rise and tactics, noting its success due to swift and strategic operations. The group ranks among the top three collectives on the RAMP forum, gaining a strong reputation within the cybercriminal community. BlackLock’s tactics include double extortion, where they encrypt data and steal sensitive information, threatening to expose it to pressure victims into paying.

BlackLock’s custom-built malware targets Windows, VMWare ESXi, and Linux environments, although its Linux variant is less developed. The group also uses a sophisticated leak site, designed to prevent researchers from downloading stolen data, which forces organizations to pay ransoms before fully assessing the breach.

Unlike many competitors that use publicly available ransomware builders, BlackLock’s custom malware remains hidden, making it more difficult for security researchers to study. The group has been recruiting affiliates, or “traffers,” to help with initial stages of attacks but remains discreet about seeking higher-level developers.

Experts warn that BlackLock may exploit vulnerabilities in Microsoft Entra Connect, potentially escalating privileges and breaching secure environments. Organizations should strengthen security policies, including monitoring sensitive attributes and enforcing conditional access, to prepare for future attacks.