Pierluigi Paganini March 26, 2025

Resecurity found an LFI flaw in the leak site of BlackLock ransomware, exposing clearnet IPs and server details.

Resecurity has identified a Local File Include (LFI) vulnerability in Data Leak Site (DLS) of BlackLock Ransomware. 

Cybersecurity experts were able to exploit misconfiguration in vulnerable web-app used by ransomware operators to publish victims’ data – leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information acquired from server-side.  

The collected information allowed to assist with further investigation and disruption of this cybercriminal activity. BlackLock Ransomware was named as one of the fastest-growing ransomware strains for today. Victims included organizations from different segments, including electronics, academia, religious organizations, defense, healthcare, technology, IT/MSP vendors, and government agencies. The impacted organizations were based in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, Spain, the Netherlands, the United States, the United Kingdom, and the UAE. In Q4 of last year, it increased its number of data leak posts by a staggering 1,425% quarter-on-quarter. According to independent reporting, the group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025.

Resecurity has been covertly acquiring critical and previously undisclosed artifacts related to threat actors’ network infrastructure, logs, ISPs and hosting providers involved, timestamps of logins, associated file-sharing accounts at MEGA, the group created to store stolen data from the victims (which later got published via DLS in TOR). A successful compromise of BlackLock’s DLS allowed to uncover a trove of information about the threat actors and their Modus Operandi (MO), but more importantly, to predict and prevent some of their planned attacks and protect undisclosed victims by alerting them.

Resecurity identified 8 associated MEGA accounts used by the group to manage stolen victims’ data. Using rclone utility the actors were syncing the data between DLS and compromised environment exfiltrating data from enterprises.

BlackLock is known as rebranding of El Dorado Ransomware. According to Resecurity, the same actors could be tied to several other prominent projects including Mamona Ransomware. The last project also did not last long. Karol Paciorek from CSIRT KNF identified a possible clearnet IP of Mamona DLS, which caused panic among affiliates.

Both BlackLock and Mamona Ransomware went offline and are currently not available. Notably, another prominent ransomware group DragonForce took the lead capitalizing on these events.  Resecurity highlighted that it is possible DragonForce will take over on the BlackLock affiliate base, and the group will successfully transition to new masters.  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BlackLock)