BlackLock Surges to the Top of the Ransomware Scene with 48 Attacks in Two Months

The BlackLock group is rapidly emerging as a leader among ransomware operators using the RaaS (Ransomware-as-a-Service) model. According to research by DarkAtlas, BlackLock is not only increasing the scale of its attacks but also demonstrating unprecedented flexibility in its tactics, making it especially dangerous for a variety of industries.

Back in 2024, BlackLock—also known as Eldorado—began actively targeting organizations, implementing advanced encryption techniques and exploiting vulnerabilities in critical systems. By 2025, it had already been recognized as one of the most active groups, with 48 attacks on major companies and government agencies recorded in the first two months of the year.

Shifting Targets and Strategic Priorities

The construction and technology sectors have been hit the hardest, indicating a shift in BlackLock’s strategic priorities. DarkAtlas analysts note that the attackers are increasingly focusing on complex organizations with high-value assets, aiming to inflict maximum damage with minimal effort.

Signature Attack Methods

Many attacks involve a ransomware variant that renames files with random strings and adds arbitrary extensions. Victims receive a note titled “HOW_RETURN_YOUR_DATA.TXT” with ransom instructions. This approach has become BlackLock’s calling card, along with publishing victim data on their leak site to increase pressure.

Recruitment and Group Structure

The group actively recruits so-called “traffers”—specialists in driving malicious traffic and initial infrastructure breaches. Meanwhile, the recruitment of high-level developers is conducted more discreetly, indicating strict internal control and segmentation within the group.

Technical Foundation and Capabilities

BlackLock, having inherited tools from Eldorado, uses the Go programming language to create cross-platform malware. For encryption, it employs a combination of ChaCha20 and RSA-OAEP, ensuring fast and stable operation on both Windows and Linux servers. The malware adapts to network specifics and requires domain administrator access or an NTLM hash to generate a unique ransomware build for each victim.

Potential Overlap with Hacktivism

Some attacks suggest a possible overlap between cybercriminal and hacktivist interests. Amid rising geopolitical tensions, these threats are increasingly used as tools of influence against strategically important infrastructure sectors.

Supply Chain Risks and Government Targets

IT providers are also at risk, as they can serve as entry points for further supply chain attacks. According to DarkAtlas, about 25% of attacks targeted government agencies, where BlackLock used not only ransomware but also destructive wipers.

Communication Channels and Ongoing Threats

Researchers are paying special attention to the group’s communication channel—a Telegram account called “Mamona R.I.P,” which is believed to be used for coordinating operations and communicating with affiliated members.

The BlackLock threat goes beyond typical attacks. Even if the group eventually changes its name or ceases operations, its infrastructure and methods are likely to form the basis for new generations of cyber threats. As RaaS platforms make malicious tools more accessible, every organization must consider these new risks and update their security strategies accordingly.