A cybersecurity vendor has made a rare admission of breaking into the infrastructure of a notorious ransomware gang, aiding national agencies in protecting victims from imminent data leaks. Resecurity announced that it played a crucial role in the recent downfall of the BlackLock ransomware group, which operated primarily on the dark web.
In a blog post, Resecurity revealed that it discovered and exploited a vulnerability in BlackLock’s TOR-based data leak site (DLS) during the holiday season of 2024. This included finding a misconfiguration that allowed access to web server data, essential configuration files, and even credentials linked to the gang’s operations. The findings led to the immediate shutdown of the group’s website, a significant win in the ongoing battle against cybercrime.
Among the critical data collected was a history of commands from one of BlackLock’s operators, identified by the alias ‘$$$’. This acute operational security failure provided insight into the gang’s methodologies and numerous email accounts they used for operations, including abuse of the popular cloud service, Mega.
Resecurity’s proactive measures allowed it to warn victims, including a legal service provider in France, just days before the gang’s planned data leak. Similar warnings were issued to a Canadian entity, enabling both victims to prepare for impending exposure. The intelligence sharing demonstrates a collaborative effort from cybersecurity practitioners to counteract the rampant threat posed by ransomware groups.
Attribution efforts by Resecurity suggest that the BlackLock group is potentially operating out of Russia or China, underscored by forum communications and IP address analysis. Additionally, Resecurity’s researcher managed to communicate with ‘$$$’ under the guise of a fellow cybercriminal, hinting at a deeper infiltration than previously thought.
In a notable twist, the article also reported that another ransomware organization, DragonForce, claimed responsibility for the defacement of BlackLock’s DLS. Critics speculate whether this defacement was a legitimate takeover or a deceptive maneuver orchestrated in coordination with ‘$$$’. Such developments suggest a complex web of alliances and rivalries within the ransomware ecosystem.
The cybersecurity landscape continues to evolve, with entities like Resecurity stepping up to not only expose vulnerabilities but also defend against attacks through preventative intelligence sharing. The recent incident acts as a reminder of the importance of remaining vigilant in the face of increasingly sophisticated cyber threats.