BlackLock ransomware onslaught: What to expect and how to fight it
BlackLock is on track to become the most active ransomware-as-a-service (RaaS) outfit in 2025, according to ReliaQuest.
Its success is primarily due to their unusually active presence and good reputation on the ransomware-focused Russian-language forum RAMP, and their aggressive recruiting of traffers (individuals that steer victims to harmful content/software), initial access brokers (IABs), and affiliates.
What is BlackLock?
BlackLock (aka El Dorado or Eldorado) cropped up in early 2024. It uses custom-built ransomware that can target Windows, VMWare ESXi, and Linux environments, but the group also exfiltrates victims’ data and threatens to publish it if the ransom isn’t paid.
Its data leak site employs tricks to prevent both victims and researchers from quickly downloading leaked files, which can help them investigate the impact BlackLock’s attacks had.
Known tactics employed by the group/its affiliates during attacks include:
- The deleting of shadow copies of files/volumes through the Windows command line
- The compromising of the highly privileged ESXi service account “vpxuser”
- Use of the pass the (NTLM) hash technique to access other hosts within the target’s networks.
And, according to ReliaQuest threat researchers, they have shown interest in leveraging Microsoft Entra Connect‘s capabilities to compromise targets’ on-premises environments without triggering traditional security controls.
“For organizations managing multiple domains under one [Entra] tenant, this tactic creates a significant risk of privilege escalation and the potential for a major breach,” they said.
What to expect?
BlackLock’s representative on RAMP forum, who goes by “$$$”, is highly active: they are making connections and building trust, engaging in chats in various forum sections, and are often reaching out to developers, initial access brokers, potential affiliates, and rival gangs.
BlackLock’s interactions with other ransomware and malware operators shows that they are willing to learn from and incorporate tools and capabilites developed by others into their attack toolkit. “Monitoring these interactions could provide early indicators of BlackLock’s malware evolution, allowing for proactive defense strategies,” the researchers noted.
Using skilled traffers and initial access brokers to get a foot into target organizations’ networks makes the job easier for the group’s affiliates, but may also point to the core RaaS group being the ones perpetrating the attacks, on occasion.
A few weeks ago, $$$ asked on RAMP for people who may be able to leverage the syncing mechanics between Active Directory and Entra ID to compromise on-premises users (as described in a post by SpecterOps’ Daniel Heinsen) to get in touch for a collaboration.
$$$ looking for users who can leverage Entra ID – Active Directory syncing mechanisms (Source: ReliaQuest)
“By exploiting synchronization flows between on-premises and cloud environments, attackers can manipulate trusted mechanisms to escalate privileges, maintain persistence, and compromise connected domains. To extend its capabilities, BlackLock will likely recruit specialists skilled in [identity and access management] systems like VMware AirWatch and Cisco Identity Services Engine. This expertise would allow BlackLock to exploit hybrid infrastructures for more sophisticated attacks,” the researchers pointed out.
With the initial access problem solved, the group seemingly has no trouble attacting enough affiliates when planning their next wave of attacks. In some cases, it takes only days to fill each available slot.
How to geat ahead of the threat?
With all these competitive advantages, it seems that BlackLock’s place at the top of the “Most active active ransomware group in 2025” list is all but guaranteed, and organizations would do well to shore up defenses against these attackers.
“In addition to foundational security measures—such as enabling multifactor authentication (MFA) and disabling Remote Desktop Protocol (RDP) on unnecessary systems—defending against BlackLock requires strategic focus on its targeted infrastructure,” the researchers noted.
To secure ESXi environments, organizations should:
- Turn off unused management services and redundant HTTPS interfaces to minimize the attack surface
- Prevent direct connections to ESXi hosts and configure them to allow management only through vCenter
- Restrict network access to ESXi hosts by use of identity-aware firewalls or strict access control lists, only allow access to them through secure jump servers or out-of-band management systems on isolated networks.
And to prevent BlackLock (and others) taking advantage of the Entra ID – Active Directory synchronization flows, the company advises hardening attribute synchronization rules, monitoring and restricting key registrations, and enforcing conditional access policies (to prevent BlackLock from registering rogue keys or performing unauthorized syncs).