What is the BlackLock ransomware?
BlackLock is a comparatively new ransomware group. First seen in March 2024, the ransomware operation initially operated beneath the identify El Dorado, earlier than rebranding as BlackLock late final 12 months.
BlackLock follows a RaaS (ransomware-as-a-service) enterprise mannequin, leasing its instruments and infrastructure to associates who launch assaults, sharing a proportion of the proceeds with BlackLock.
And I suppose they do the conventional factor of encrypting your knowledge and demanding a ransom?
Yes, like many different ransomware teams, BlackLock each encrypts victims’ information and exfiltrates knowledge – issuing threats to publish it if ransoms will not be paid. BlackLock makes use of custom-built ransomware to focus on Windows, VMWare ESXi, and Linux environments.
So not simply Windows?
No, though the Linux model of BlackLock’s ransomware just isn’t thought-about as mature as its Windows-based sibling.
So what makes BlackLock noteworthy?
BlackLock has grow to be a giant deal, in a short time. It has been predicted to be one of many greatest RaaS operations of 2025, following a dramatic improve within the variety of posts on its darkish internet leak web site.
BlackLock is reported to have launched 48 assaults within the first two months of 2024, impacting a number of trade sectors with development and actual property corporations hit the toughest.
In addition, BlackLock has been actively attracting new associates on RAMP, a Russian-language ransomware-focused cybercrime discussion board, as properly recruiting builders, preliminary entry brokers and traffers (individuals who direct victims to malicious content material.)
BlackLock is represented on RAMP by a person calling themselves “$$$”, who has posted 9 instances extra ceaselessly than its nearest competitor (RansomHub) – giving some indication of the group’s aggressive promotion to different criminals.
Shouldn’t extra be carried out to close down cybercriminal boards like this?
It’s not a simple drawback to resolve. But regulation enforcement has had success in seizing ransomware and different cybercriminal websites previously. We can solely hope that they are going to proceed to have successes.
How will you recognize if your organization has been hit by BlackLock?
It will likely be very apparent that you’ve a major problem. Files is not going to solely be encrypted, but additionally renamed – with random characters.
In addition, the ransomware drops a file on impacted methods entitled “HOW_RETURN_YOUR_DATA.TXT” which comprises the extortion word, demanding a Bitcoin cost.
And, after all, for those who do not co-operate with the BlackLock gang your knowledge is printed on its leak web site?
Afraid so. Researchers who’ve appeared on the BlackLock leak web site say that it makes use of intelligent tips to attempt to make it more durable for investigators to obtain particulars of victims and determine what information have been stolen, presumably in an try and stress victims into paying out extra rapidly.
Ransomware consultants have been capable of fastidiously circumvent these boundaries by utilizing randomised obtain intervals, distinctive browser brokers and different strategies to automate file downloads.
So how can my firm shield itself from Ragnar Locker?
The finest recommendation is to comply with our suggestions on the way to shield your organisation from different ransomware. Those embrace:
- making safe offsite backups.
- working up-to-date safety options and making certain that your computer systems are protected with the most recent safety patches towards vulnerabilities.
- utilizing hard-to-crack distinctive passwords to guard delicate knowledge and accounts, in addition to enabling multi-factor authentication.
- encrypting delicate knowledge wherever attainable.
- lowering the assault floor by disabling performance that your organization doesn’t want.
- educating and informing employees in regards to the dangers and strategies utilized by cybercriminals to launch assaults and steal knowledge.
Editor’s Note: The opinions expressed on this and different visitor writer articles are solely these of the contributor and don’t essentially replicate these of Tripwire.