- BlackLock committed to crafting custom malware, setting it apart from rival gangs that typically utilise leaked builders from established ransomware such as Babuk or LockBit.
- BlackLock targets victims by encrypting and exfiltrating data, thereafter compelling victims to comply with payment demands through the threat of public disclosure.
- Its ransomware exhibits functionality across multiple operating systems, including Windows, VMware ESXi, and Linux; however, the Linux variant lacks the robustness characteristic of the Windows version.
The rise of BlackLock ransomware, first identified in March 2024, marks a notable shift in the ransomware-as-a-service (RaaS) landscape. With an astonishing surge of 1,425 per cent in activity during the last quarter of 2024, as reported by the cybersecurity firm Reliaquest.
BlackLock has ascended to become the seventh most active ransomware group. Its trajectory suggests the potential to emerge as the most formidable ransomware entity in 2025.
One of the most distinctive features of BlackLock is its commitment to crafting custom malware, setting it apart from rival gangs that typically utilise leaked builders from established ransomware such as Babuk or LockBit. This strategic choice not only enhances the efficacy of its attacks but also complicates defense efforts.
The custom nature of BlackLock’s malware keeps researchers on the back foot, limiting their ability to analyse, deconstruct, and mitigate the threat until the malware’s source code is compromised.
Double extortion tactics
Employing double extortion tactics, BlackLock targets victims by encrypting and exfiltrating data, thereafter compelling victims to comply with payment demands through the threat of public disclosure.
Its ransomware exhibits functionality across multiple operating systems, including Windows, VMware ESXi, and Linux; however, the Linux variant lacks the robustness characteristic of the Windows version.
A significant component of BlackLock’s operational strategy is its use of a tailored leak site, distinctive in its design to amplify pressure on victims. The site features navigation elements intended to obscure the scope of breaches, thereby pushing organizations toward expedited ransom payments without full situational awareness.
This aspect of their strategy underscores a calculated approach to maximizing financial gain from their victims.
BlackLock’s recruitment methods further illustrate its rapid expansion. The group actively engages on the RAMP cybercriminal forum, recruiting affiliates and essential operatives—termed traffers—who facilitate initial stages of ransomware attacks.
The urgency displayed in recruitment for traffers emphasizes the gang’s need for rapid operational scaling, contrasting with the more clandestine nature of higher-level recruitment where the selection process is meticulous and compensation offers are more substantial.
The emergence of recruitment posts corresponding with significant attack waves suggests a well-coordinated operational strategy, indicative of BlackLock’s adaptive approach to cybercrime.
This alignment of recruitment and operational timing may enhance their attack efficacy, allowing them to exploit vulnerabilities as they arise in the cybersecurity landscape.