In a dramatic turn of events, the notorious ransomware-as-a-service (RaaS) group known as “BlackLock” has been dealt a severe blow, thanks to the proactive efforts of cybersecurity firm Resecurity. Dubbed “El Dorado” and “Eldorado” in its various incarnations, BlackLock emerged as a formidable player in the cybercrime world since its inception in March 2024. However, a critical vulnerability in its operations, uncovered during the holiday season, has shifted the tide against this rapidly growing threat.
This is the story of how BlackLock rose to prominence, the ingenious methods used to dismantle its operations, and what it means for the future of ransomware warfare.
The Rise of BlackLock: A Cybercrime Powerhouse
BlackLock burst onto the ransomware scene with alarming speed. By the fourth quarter of 2024, the group’s data leak posts surged by an astonishing 1,425% compared to the previous quarter, signaling its intent to dominate the RaaS landscape in 2025. Independent analysts flagged BlackLock as a potential leader in the ransomware ecosystem, citing its aggressive tactics and growing victim tally.
Operating under aliases like “El Dorado” and later “Mamona,” BlackLock targeted a diverse range of organizations across the globe. As of February 10, 2025, Resecurity identified 46 victims spanning industries such as electronics, academia, healthcare, defense, and government agencies. Affected organizations hailed from countries including the United States, Canada, France, Brazil, and the UAE, showcasing the group’s international reach.
Read Full Report: Blacklock Ransomware: A Late Holiday Gift with Intrusion into the Threat Actor’s Infrastructure
What made BlackLock particularly dangerous was its sophisticated approach. The group leveraged a Data Leak Site (DLS) on the TOR network to publish stolen data, extorted victims with relentless precision, and even launched an underground affiliate network on January 14, 2025, via the notorious “RAMP” forum. Written in Russian and Chinese, the announcement invited cybercriminals to join their ranks, offering ransomware binaries and compromised access for profit—provided they avoided targeting BRICS nations (like Russia and China) and CIS countries.
A Holiday Surprise: Uncovering BlackLock’s Weakness
The turning point came during the 2024 winter holidays—a time when cybercriminals typically ramp up attacks, exploiting distracted businesses and individuals. However, this holiday season brought an unexpected gift for the good guys. Resecurity’s HUNTER team identified a Local File Include (LFI) vulnerability in BlackLock’s TOR-based DLS, a misconfiguration that exposed critical details about the group’s infrastructure.
Empanelment for Speakers, Trainers, and Cyber Security Experts Opens at Future Crime Research Foundation
By exploiting this flaw, Resecurity analysts gained access to a treasure trove of intelligence: server logs, IP addresses, hosting providers, login timestamps, and even file-sharing accounts on MEGA where stolen data was stored. This breach allowed the team to peek behind the curtain of BlackLock’s operations, revealing not just their methods but also their planned attacks.
“We didn’t just want to count victims and write reports,” said a Resecurity spokesperson. “Our goal was to disrupt the cybercriminal chain proactively. This was a rare case where offensive cyber tactics and threat intelligence came together to stop a major ransomware group in its tracks.”
Inside BlackLock’s Operations: A Web of Deception
The Modus Operandi
BlackLock’s operations were a masterclass in cybercrime ingenuity. The group used anonymous email services like Cyberfear.com to communicate and relied heavily on MEGA for data exfiltration. Resecurity uncovered eight MEGA accounts tied to the group, including addresses like sopajelessei-5488@yopmail[.]com and mega080mega@gmail[.]com, used to shuttle stolen data between victims and the DLS.
To manage this efficiently, BlackLock employed the rclone utility and even installed the MEGA client directly on victims’ servers—sneaky tactics designed to evade detection. Stolen data, sometimes amounting to terabytes, was stored, wiped, and reused across these accounts, with some serving as backups.
A Triple Threat
The mastermind behind BlackLock, known only as “$$ $,” wasn’t content with running a single operation. Evidence suggests this actor orchestrated three ransomware projects: BlackLock, El Dorado, and the newly launched Mamona Ransomware (announced March 11, 2025). Victims like New River Electrical in Ohio and Kansas State University’s College of Veterinary Medicine appeared on both El Dorado and BlackLock’s DLS, hinting at a seamless transition between projects.
Cybersecurity researchers noted similarities in code and ransom notes across these ventures, a common tactic for operators to rebrand and confuse investigators. “It’s like a criminal chameleon,” one expert remarked. “They shed one skin and grow another, but the DNA stays the same.”
Turning the Tables: How Resecurity Fought Back
Early Warnings Save Victims
Armed with intelligence from the DLS breach, Resecurity didn’t just sit on the sidelines. On January 10, 2025, they alerted the Canadian Centre for Cyber Security about a planned data leak targeting a Canadian victim—13 days before it was set to go public. Six days later, they tipped off France’s CERT-FR/ANSSI about a legal services provider in the EU, beating BlackLock’s publication timeline by two days.
In both cases, the team observed BlackLock’s tactics up close, including the use of MEGA clients on victims’ servers to quietly siphon data. By monitoring compromised accounts, Resecurity traced IP addresses—some originating from China and Russia—though the use of proxies made pinpointing the actors tricky. Key IPs like 185.147.124.54 and 218.92.0.252 surfaced in server logs, offering valuable clues.
A Vulnerability Exposed
The LFI vulnerability wasn’t just a lucky break—it was a glaring oversight by BlackLock. The misconfiguration leaked clearnet IP addresses tied to their TOR infrastructure, along with sensitive server files and credentials. One password, carelessly reused across accounts, gave Resecurity even deeper access. The DLS server also required a digital certificate for authentication, but once breached, its secrets spilled wide open.
Over time, Resecurity amassed over 7 terabytes of compromised data, using it to identify and warn victims before BlackLock could cash in on its extortion schemes.
Ransomware Wars: A Game of Trust and Triumph
DragonForce Enters the Fray
BlackLock’s reign unraveled further in early 2025. On February 26, Resecurity contacted a BlackLock representative via TOX IM, obtaining a ZIP file with ransomware binaries for Windows, Linux, FreeBSD, and ESXi. Reverse engineering revealed striking similarities to DragonForce Ransomware, another major player in the underground scene. While DragonForce used C++, BlackLock’s samples were coded in Go—possibly with AI assistance—but the ransom notes were nearly identical.
Was this a collaboration or a takeover? On February 28, ” $$$” hinted at an “exit” from BlackLock, raising suspicions of a shift in leadership or a strategic retreat. Then, on March 20, 2025, BlackLock’s DLS was defaced, its configuration files dumped online. The next day, Mamona’s DLS met the same fate, with DragonForce leaving a mocking comment on RAMP.
A Rival’s Revenge?
The defacement—complete with leaked chats allegedly from BlackLock operators—suggested DragonForce was either eliminating a competitor or staging a dramatic rebrand. “It’s ransomware warfare,” said one observer. “They’re fighting for territory, and BlackLock got caught in the crossfire.” Intriguingly, “$$ $” showed no anger toward DragonForce, even calling them “gentlemen,” fueling speculation of a coordinated handover.
By mid-March, both BlackLock and Mamona went offline, their DLS URLs scrubbed from ” $$$’s” RAMP signature. The actor vanished, leaving affiliates wary and the ransomware community buzzing with theories.
Now Open: Pan-India Registration for Fraud Investigators!
The Aftermath: DragonForce Rises, Lessons Learned
With BlackLock crippled, DragonForce is poised to seize the spotlight. Known for its technical prowess, the group is already targeting regions like Saudi Arabia and courting affiliates orphaned by BlackLock’s collapse. Resecurity predicts a surge in DragonForce activity as it capitalizes on this power vacuum.
For BlackLock’s operators, the message is clear: there’s no hiding in today’s cybercrime ecosystem. Multiple operational security (OPSEC) failures—exposed IPs, reused passwords, and a vulnerable DLS—left them exposed to rivals and researchers alike. “This is a wake-up call,” said a Resecurity analyst. “Even the slickest criminals can’t outrun a determined counterattack.”
For victims and businesses, Resecurity’s efforts offer hope. By blending offensive cyber tactics with threat intelligence, they didn’t just document BlackLock’s crimes—they stopped them. As ransomware evolves, this proactive approach could be the key to staying one step ahead of the bad guys.