BlackLock, a rising Ransomware-as-a-Service (RaaS) group, has seen explosive growth since its initial detection in March 2024, leading to a warning of its potential to become the most active ransomware group by 2025. Utilizing double extortion methods and custom-built malware, BlackLock has targeted numerous sectors with unique strategies to avoid detection. Affected: organizations, cybercriminal forums, VMWare ESXi environments
Keypoints :
- BlackLock first observed in March 2024, rapidly emerging in the ransomware landscape.
- Ranked 7th on data-leak sites by Q4 2024 with 1,425% increase in activity from Q3.
- Utilizes double extortion tactics by encrypting data and stealing sensitive information.
- Custom-built malicious software differentiates it from competitors using leaked ransomware builders.
- Engages actively on ransomware-focused forums to recruit affiliates, IABs, and technical specialists.
- Employs unique functionalities in its data-leak sites to obstruct researchers and heighten pressure on victims.
- Identified a potential pivot towards targeting Microsoft Entra Connect for future attacks.
MITRE Techniques :
- TA0005: T1708.001 – Default Accounts: Detection of potential compromise of the ESXi service account “vpxuser” based on unusual authentication requests.
- TA0005: T1070.004 – File Deletion: Detection rule to identify the deletion of shadow copies via command line, aimed at preventing recovery and enforcing ransom payments.
- TA0005: T1500.002 – Pass the Hash: Detection of lateral movement using Pass-the-Hash techniques within networks.
Indicator of Compromise :
- [Hash Type] N/A
- [Domain] RAMP Forum (discussion platform)
- [URL] N/A
- [IP Address] N/A
- [Email Address] N/A
Views: 10
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português