Security researchers hack BlackLock ransomware gang in push back against rising threat actor
Security researchers have exploited a vulnerability in the dark web site of the BlackLock ransomware group to gather information about planned attacks.
Late in 2024, researchers at Resecurity identified a vulnerability in BlackLock’s Data Leak Site (DLS), allowing its analysts to inspect the threat group’s network infrastructure and identify specific activity logs, hosting providers, and linked MEGA accounts used to store the data of its victims.
“A successful compromise of BlackLock’s DLS allowed to uncover a trove of information about the threat actors and their Modus Operandi (MO), but more importantly, to predict and prevent some of their planned attacks and protect undisclosed victims by alerting them,” the researchers wrote.
Earlier this year, for example, Resecurity contacted the Canadian Centre for Cyber Security to share what it had learned about a planned data release from a Canada-based victim, 13 days before its publication by BlackLock.
It was able to give similar alerts to a victim in France.
All in all, Resecurity identified 46 victims in sectors including electronics, academia, religious organizations, defense, healthcare, technology, IT/MSP vendors and government agencies.
The organizations affected were based in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, Spain, the Netherlands, the US, the UK and the UAE.
Resecurity says BlackLock has likely targeted far more victims than is currently known, many of whom could currently be dealing with exploitation.
It was a misconfiguration in BlackLock’s website that gave the way in for the researchers, who were able to access clearnet IP addresses related to the ransomware group’s network infrastructure.
By exploiting a Local File Include (LFI) vulnerability, in which a user tricks an application to expose files stored on a given server, the researchers were able to gather BlackLock config files and credentials.
“The acquired history of commands was probably one of the biggest OPSEC failures of Blacklock Ransomware,” said the researchers. “The collected artifacts included copy-pasted credentials the key actor managing the server used and a detailed chronology of victims’ data publication.”
Resecurity believes that it’s done enough damage to BlackLock to make sure that it can’t recover, with its reputation among cybercriminal affiliates now critically undermined.
BlackLock was using file sharing service MEGA to store and transfer stolen data and Resecurity was able to identify eight distinct email addresses associated with the MEGA folders.
BlackLock is a new iteration of the El Dorado Ransomware group; and Resecurity also uncovered links between BlackLock and rival ransomware group DragonForce. with DragonForce appearing to have hijacked the BlackLock dark website. The researchers suggest that this might indicate some sort of cooperation or conversely a takeover by DragonForce.
“It seems DragonForce wanted to shame the group and compromise their operations to eliminate competitors. On the other hand, such tactics could also be used as a ‘false flag’ to further transition to a new project,” Resecurity said.
“It is unclear if BlackLock ransomware started cooperating with DragonForce ransomware or silently transitioned under the new ownership. The new masters likely took over the project and their affiliate base because of ransomware market consolidation, understanding their previous successors could be compromised.”
Source link
