Cybersecurity Firm Uncovers Vulnerability in BlackLock Ransomware Infrastructure
Discover how Resecurity identified a critical flaw in BlackLock ransomware, leading to the exposure of vital network details and the disruption of cybercriminal activities.
TL;DR
Resecurity identified a Local File Include (LFI) vulnerability in the Data Leak Site (DLS) of BlackLock ransomware, exposing critical network details and aiding in the disruption of cybercriminal activities. BlackLock, a fast-growing ransomware strain, has targeted various organizations worldwide, with a significant increase in data leak posts.
Main Content
Cybersecurity firm Resecurity has identified a Local File Include (LFI) vulnerability in the Data Leak Site (DLS) of BlackLock ransomware. This discovery allowed experts to exploit a misconfiguration in the web application used by ransomware operators to publish victims’ data. The vulnerability led to the disclosure of clearnet IP addresses and additional server details related to their network infrastructure behind TOR hidden services1.
The collected information has been instrumental in further investigating and disrupting this cybercriminal activity. BlackLock ransomware, recognized as one of the fastest-growing strains, has targeted organizations across various sectors, including electronics, academia, religious organizations, defense, healthcare, technology, IT/MSP vendors, and government agencies. The impacted organizations are spread across multiple countries such as Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, Spain, the Netherlands, the United States, the United Kingdom, and the UAE. In the fourth quarter of last year, BlackLock increased its number of data leak posts by a staggering 1,425% quarter-on-quarter2.
Resecurity covertly acquired critical artifacts related to the threat actors’ network infrastructure, logs, ISPs, and hosting providers involved. This included timestamps of logins and associated file-sharing accounts at MEGA, which the group used to store stolen data from victims. The compromise of BlackLock’s DLS uncovered valuable information about the threat actors and their Modus Operandi (MO). This information helped predict and prevent planned attacks, protecting undisclosed victims by alerting them3.
Resecurity identified eight associated MEGA accounts used by the group to manage stolen victims’ data. Using the rclone utility, the actors synchronized data between DLS and the compromised environment, exfiltrating data from enterprises.
BlackLock is known as a rebranding of El Dorado ransomware. According to Resecurity, the same actors could be tied to several other prominent projects, including Mamona ransomware. Karol Paciorek from CSIRT KNF identified a possible clearnet IP of Mamona DLS, causing panic among affiliates. Both BlackLock and Mamona ransomware went offline and are currently not available. Notably, another prominent ransomware group, DragonForce, took the lead by capitalizing on these events. Resecurity highlighted that DragonForce might take over the BlackLock affiliate base, ensuring a successful transition to new masters4.
Additional Resources
For further insights, check:
Conclusion
The identification of the LFI vulnerability in BlackLock ransomware’s DLS by Resecurity has significantly aided in disrupting cybercriminal activities. The exposure of critical network details has provided valuable insights into the threat actors’ operations, helping to predict and prevent future attacks. As ransomware threats continue to evolve, ongoing vigilance and proactive measures are essential to safeguard organizations against such cyber threats.