Introduction
In March 2024 [1] [2], Resecurity successfully disrupted the BlackLock ransomware gang [2], a significant cyber threat known for its aggressive attacks and substantial increase in data leak activities. This operation highlights the effectiveness of proactive cybersecurity measures in dismantling cybercriminal organizations and preventing data breaches [2].
Description
Resecurity has successfully disrupted the BlackLock ransomware gang [2], a significant threat that emerged in March 2024 due to its aggressive attacks and a staggering 1,425% increase in data leak posts in the last quarter of that year. By exploiting a critical Local File Include (LFI) vulnerability on BlackLock’s Data Leak Site (DLS), Resecurity’s HUNTER team was able to investigate the gang’s infrastructure and uncover sensitive information [2], including server configurations [2], login details [2], and logs of the gang’s activities [2]. This proactive measure not only revealed past actions and future plans but also allowed researchers to alert potential targets, effectively preventing further data leaks [3].
Resecurity reported a planned data release from a Canada-based victim [1], indicating operations affecting multiple countries [1], including Argentina [1], Brazil [1], Canada [1], and the US [1]. The exploitation of the LFI vulnerability was a significant operational security failure for BlackLock, leading to the collection of critical configuration files and credentials [1]. This incident has severely damaged BlackLock’s reputation among cybercriminal affiliates and significantly impacted its operational capabilities.
Additionally, Resecurity retrieved credentials for MEGA cloud storage accounts used by BlackLock for storing and transferring stolen data. Eight email addresses linked to these MEGA folders were identified, suggesting potential cooperation or a takeover by the rival group DragonForce [1]. In March 2025 [1] [2], BlackLock’s data leak site was defaced by DragonForce [2], further undermining BlackLock’s operations [2]. The relationship between BlackLock and DragonForce remains unclear [1], with speculation about internal conflicts or market consolidation. The outcome of this operation underscores the effectiveness of proactive cybersecurity measures in dismantling cybercriminal organizations and preventing data breaches [2].
Conclusion
The disruption of BlackLock by Resecurity has significantly impaired the gang’s operations and reputation, demonstrating the critical role of proactive cybersecurity strategies. By identifying and exploiting vulnerabilities, cybersecurity teams can effectively mitigate threats and prevent data breaches. This case also highlights the potential for internal conflicts and market shifts within the cybercriminal landscape, emphasizing the need for continuous vigilance and adaptation in cybersecurity efforts.
References
[1] https://www.cybersecurityintelligence.com/blog/-blacklock-hackers-hacked-8343.html
[2] https://i-hls.com/archives/128785
[3] https://www.fortra.com/blog/bi-weekly-cyber-landscape-reviews-march-25th-2025
