What’s the BlackLock ransomware?
BlackLock is a comparatively new ransomware group. First seen in March 2024, the ransomware operation initially operated below the title El Dorado, earlier than rebranding as BlackLock late final yr.
BlackLock follows a RaaS (ransomware-as-a-service) enterprise mannequin, leasing its instruments and infrastructure to associates who launch assaults, sharing a proportion of the proceeds with BlackLock.
And I assume they do the traditional factor of encrypting your information and demanding a ransom?
Sure, like many different ransomware teams, BlackLock each encrypts victims’ recordsdata and exfiltrates information – issuing threats to publish it if ransoms will not be paid. BlackLock makes use of custom-built ransomware to focus on Home windows, VMWare ESXi, and Linux environments.
So not simply Home windows?
No, though the Linux model of BlackLock’s ransomware just isn’t thought-about as mature as its Home windows-based sibling.
So what makes BlackLock noteworthy?
BlackLock has turn into a giant deal, in a short time. It has been predicted to be one of many greatest RaaS operations of 2025, following a dramatic enhance within the variety of posts on its darkish internet leak website.
BlackLock is reported to have launched 48 assaults within the first two months of 2024, impacting a number of business sectors with building and actual property corporations hit the toughest.
As well as, BlackLock has been actively attracting new associates on RAMP, a Russian-language ransomware-focused cybercrime discussion board, as effectively recruiting builders, preliminary entry brokers and traffers (individuals who direct victims to malicious content material.)
BlackLock is represented on RAMP by a person calling themselves “$$$”, who has posted 9 occasions extra often than its nearest competitor (RansomHub) – giving some indication of the group’s aggressive promotion to different criminals.
Should not extra be achieved to close down cybercriminal boards like this?
It isn’t a straightforward downside to resolve. However legislation enforcement has had success in seizing ransomware and different cybercriminal websites prior to now. We will solely hope that they’ll proceed to have successes.
How will you already know if your organization has been hit by BlackLock?
Will probably be very apparent that you’ve a significant issue. Information won’t solely be encrypted, but additionally renamed – with random characters.
As well as, the ransomware drops a file on impacted methods entitled “HOW_RETURN_YOUR_DATA.TXT” which comprises the extortion observe, demanding a Bitcoin fee.
And, after all, should you do not co-operate with the BlackLock gang your information is revealed on its leak website?
Afraid so. Researchers who’ve regarded on the BlackLock leak website say that it makes use of intelligent methods to attempt to make it tougher for investigators to obtain particulars of victims and determine what recordsdata have been stolen, presumably in an try and stress victims into paying out extra rapidly.
Ransomware consultants have been in a position to fastidiously circumvent these limitations through the use of randomised obtain intervals, distinctive browser brokers and different methods to automate file downloads.
So how can my firm defend itself from Ragnar Locker?
The most effective recommendation is to observe our suggestions on the best way to defend your organisation from different ransomware. These embrace:
- making safe offsite backups.
- working up-to-date safety options and guaranteeing that your computer systems are protected with the most recent safety patches in opposition to vulnerabilities.
- utilizing hard-to-crack distinctive passwords to guard delicate information and accounts, in addition to enabling multi-factor authentication.
- encrypting delicate information wherever potential.
- lowering the assault floor by disabling performance that your organization doesn’t want.
- educating and informing employees in regards to the dangers and strategies utilized by cybercriminals to launch assaults and steal information.
Editor’s Word: The opinions expressed on this and different visitor writer articles are solely these of the contributor and don’t essentially replicate these of Tripwire.
