Summary:
Researchers have confirmed that BlackLock is a rebranded version of the notorious Eldorado ransomware group, revealing a direct link between the two. After facing increased pressure from law enforcement and security experts, Eldorado resurfaced under the BlackLock banner, refining its operational model while maintaining its ransomware-as-a-service structure. The DarkAtlas Research Team's latest report, "Inside the World’s Fastest Rising Ransomware Operator BlackLock," highlights its unpredictable attack patterns, rapid expansion, and growing influence across multiple industries.

BlackLock has emerged as one of 2025’s most notorious ransomware threats, executing 48 attacks in the first two months of the year. It has primarily targeted construction, real estate, technology, and government agencies, leveraging fast encryption speeds to maximize disruption. The ransomware renames encrypted files with randomized extensions and delivers a ransom note titled "HOW_RETURN_YOUR_DATA.TXT." Unlike many ransomware groups with structured playbooks, BlackLock’s flexible and adaptive attack strategies make it difficult to counter. Its use of destructive wipers against government entities further distinguishes it as a multifaceted cyber threat with both financial and geopolitical implications.

The rise of RaaS platforms has played a critical role in BlackLock's expansion, allowing the group to rapidly recruit affiliates and execute high-impact attacks. Intelligence from DarkAtlas confirms that BlackLock retains Eldorado’s technical foundation, employing Golang for cross-platform attacks and leveraging ChaCha20 and RSA-OAEP encryption techniques. However, it has enhanced its attack efficiency, implementing faster encryption speeds and more targeted infiltration methods. This transition follows a common ransomware rebranding strategy, seen previously with groups like Babuk to BabLock and REvil to BlackMatter, where threat actors evade detection and disrupt attribution while continuing operations under a new identity.

Security Officer Comments:
BlackLock’s recruitment strategies further emphasize its aggressive expansion. The group actively seeks “traffers”, cybercriminals responsible for delivering malicious payloads and establishing initial access—while also hiring penetration testers and skilled developers to refine their ransomware payloads. Unlike other groups that rely on leaked ransomware builders, BlackLock (formerly Eldorado) develops its malware independently, ensuring exclusivity and operational control. It supports both Windows and Linux attacks, increasing its adaptability across different infrastructures.

The growing alignment between ransomware operators and hacktivist groups has also been noted, with geopolitical motivations influencing BlackLock’s targeting of critical industries. This shift suggests a blend of financial incentives and strategic disruption, further complicating defense efforts. Additionally, IT service providers have been targeted, allowing BlackLock to compromise downstream business customers, amplifying its attack reach.

Suggested Corrections:

Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.


Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.


Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?


Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.


Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.


Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.


Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.


Link(s):
https://www.infosecurity-magazine.com/news/researchers-confirm-blacklock/