Listen to this Post
The rapid evolution of ransomware attacks is a growing concern for cybersecurity professionals, as the sophistication and speed of these attacks only increase over time. In a recent development, cybersecurity firm Resecurity uncovered a significant vulnerability in the Data Leak Site (DLS) of BlackLock Ransomware. This discovery shed light on an alarming weakness that could be exploited by attackers to compromise organizations globally. In this article, we explore how a Local File Inclusion (LFI) vulnerability was identified and what it means for organizations facing the growing threat of ransomware.
A Critical Vulnerability in BlackLock
Resecurity experts revealed that BlackLock Ransomware’s DLS contained an LFI vulnerability, which allowed them to access critical server-side data. This misconfiguration in the ransomware’s web application exposed clearnet IP addresses, revealing key information about its network infrastructure hidden behind TOR services. Additionally, this breach provided further insights into the hosting providers and services used by the attackers.
By exploiting this vulnerability, experts were able to gather valuable information that assisted in the investigation and disruption of BlackLock’s cybercriminal activities. Notably, the ransomware strain has rapidly grown in prominence, and its victims span several sectors, including electronics, healthcare, government agencies, academia, and technology companies worldwide.
In Q4 of the previous year,
Key Findings and Insights from Resecurity’s Investigation
Through careful investigation, Resecurity managed to collect critical data related to BlackLock’s infrastructure, including logs, ISPs, hosting providers, and timestamps of logins. This intelligence also revealed that the ransomware operators used MEGA accounts to store stolen victim data, which was later published via the DLS on the dark web. By successfully compromising BlackLock’s DLS, Resecurity was able to uncover a wealth of details about the ransomware group’s operations, including their Modus Operandi (MO).
The investigation led to the identification of eight MEGA accounts linked to the attackers, providing even more evidence of their data management strategies. Resecurity also revealed how the group was utilizing tools like rclone to exfiltrate data from compromised organizations.
Interestingly, BlackLock Ransomware is a rebranding of the previously active El Dorado Ransomware, and the same group behind BlackLock is believed to be involved in other significant ransomware projects, including Mamona Ransomware. While Mamona had a brief run, it also met its demise, leaving the threat actors to pivot towards BlackLock.
BlackLock’s Decline and the Rise of DragonForce
Following the exposure of critical information about
Resecurity suggests that DragonForce could potentially absorb BlackLock’s affiliate network, enabling the group to maintain its operations under new leadership and continue its cybercriminal activities. The rapid rebranding and adaptation to changing circumstances are hallmarks of how ransomware groups evolve, making it difficult for authorities and cybersecurity teams to stay ahead.
What Undercode Says:
The findings from Resecurity regarding BlackLock Ransomware provide a sobering reminder of how sophisticated cybercriminal operations have become. This incident underscores the need for organizations to adopt more rigorous cybersecurity practices, especially when it comes to securing web applications and data leak sites. While the LFI vulnerability in BlackLock’s DLS was exploited in this case, there are countless other potential vulnerabilities that cybercriminals could exploit if left unchecked.
The fact that Resecurity was able to uncover such valuable information demonstrates the importance of proactive monitoring and investigation in the fight against ransomware. Rather than waiting for the next attack to occur, cybersecurity teams must actively search for vulnerabilities in their systems, monitor traffic for signs of suspicious behavior, and share information about threat actor tactics.
In particular, the link between BlackLock and Mamona ransomware raises the question of how interconnected and adaptable these cybercriminal groups are. The quick rebranding of ransomware strains and the ability of groups to shift their operations to other platforms makes it increasingly difficult to dismantle them entirely. The infiltration of secure cloud storage systems like MEGA further shows the lengths to which these groups will go to store and distribute their stolen data.
Despite these challenges, the successful compromise of BlackLock’s DLS offers some hope in the battle against ransomware. With the right intelligence and expertise, it’s possible to disrupt these groups and prevent further attacks, saving both organizations and individuals from the devastating consequences of a ransomware breach.
Fact Checker Results:
- LFI vulnerability confirmed: The identification of a Local File Inclusion (LFI) vulnerability in BlackLock’s DLS has been corroborated by cybersecurity experts, proving the breach was real.
- Rise of BlackLock confirmed: Data showing a 1,425% increase in BlackLock’s data leak posts in Q4 supports the group’s rapid expansion and growing influence in the ransomware landscape.
- DragonForce’s potential takeover: The potential of DragonForce taking over BlackLock’s affiliate network is a logical conclusion based on observed trends in the ransomware ecosystem.
References:
Reported By: https://securityaffairs.com/175877/cyber-crime/blacklock-ransomware-targeted-by-cybersecurity-firm.html
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





