Full Report
In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract
Analysis Summary
# Incident Report: Exposure of BlackLock Ransomware Infrastructure via DLS Vulnerability
## Executive Summary
Threat researchers discovered a critical misconfiguration vulnerability within the BlackLock Ransomware group's data leak site (DLS), allowing them to infiltrate the group's infrastructure. This discovery exposed configuration files, operational credentials, and a history of executed commands, representing a major operational security failure for the ransomware gang. The incident primarily involved the exposure of the threat actors' internal network details rather than an attack on a specific victim organization.
## Incident Details
- Discovery Date: March 29, 2025 (Implied date of publication/discovery)
- Incident Date: Prior to March 29, 2025
- Affected Organization: BlackLock Ransomware Group Infrastructure (Data Leak Site/Operations)
- Sector: Cybercrime Infrastructure
- Geography: Global victims targeted; infrastructure details exposed via clearnet IPs linked to TOR services.
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed, leading up to March 29, 2025
- Vector: Exploitation of a Local File Inclusion (LFI) vulnerability on the BlackLock Data Leak Site (DLS).
- Details: The LFI bug allowed threat hunters to perform a path traversal attack, tricking the web server into leaking sensitive internal information.
### Lateral Movement
- Not applicable to the internal network of the victim organization; this was an internal breach of the attacker infrastructure.
### Data Exfiltration/Impact
- Configuration files, operator credentials, and the history of commands executed on the server were successfully extracted by researchers. Clearnet IP addresses related to their TOR-based network infrastructure were also disclosed.
### Detection & Response
- **Detection:** Resecurity identified the security vulnerability in the DLS.
- **Response Action (By Researchers):** Researchers extracted and analyzed the sensitive configuration and command history data. (No response from the victim entity—the ransomware group—is detailed).
## Attack Methodology
- **Initial Access:** Exploitation of a Local File Inclusion (LFI) flaw on the DLS.
- **Persistence:** N/A (Focus is on infrastructure compromise, not typical endpoint persistence).
- **Privilege Escalation:** N/A (Exploited a pre-existing web server misconfiguration).
- **Defense Evasion:** N/A (Focused on exploiting a configuration error impacting the DLS security).
- **Credential Access:** Operator credentials were among the exposed configuration files.
- **Discovery:** Researchers used the LFI exploit to map out backend infrastructure details, including clearnet IPs hosting TOR services.
- **Lateral Movement:** N/A
- **Collection:** Extraction of configuration files, command history, and service information from the compromised DLS server.
- **Exfiltration:** Data was exfiltrated by the researchers who exploited the internal vulnerability.
- **Impact:** Operational security failure for BlackLock; public exposure of tools/methods, including the use of Rclone and MEGA storage for victim data exfiltration.
## Impact Assessment
- **Financial:** Not available regarding the *breach* itself, but BlackLock heavily targets Finance sectors.
- **Data Breach:** Exposure of BlackLock's internal operational documents, credentials, and infrastructure mapping.
- **Operational:** Severe operational security (OPSEC) failure for the BlackLock group, exposing their methods and infrastructure setup.
- **Reputational:** Significant reputational damage to the BlackLock group due to the exposure of their internal workings.
## Indicators of Compromise
- **Network indicators:** Disclosure of clearnet IP addresses associated with the BlackLock network infrastructure behind TOR hidden services.
- **File indicators:** Exposure of configuration files and ransomware source code similarities with DragonForce (though BlackLock uses Go, DragonForce used Visual C++).
- **Behavioral indicators:** Discovery of the use of the Rclone utility to exfiltrate data to the MEGA cloud storage service, often installing the MEGA client directly on victim systems.
## Response Actions
* **Containment (Conceptual/By Researchers):** The exploit was used to gain access and extract data.
* **Eradication (Conceptual/By Researchers):** The vulnerability disclosure effectively "neutralized" the secrecy of the group's DLS configuration.
* **Recovery (Conceptual):** The focus was on publicizing the findings to warn the security community about BlackLock's operations.
## Lessons Learned
- **OPSEC Failure:** The most significant lesson is the severe operational risk associated with misconfigurations on public-facing infrastructure used by threat actors (Data Leak Sites).
- **Tooling Insight:** Confirmed BlackLock's use of Rclone and MEGA cloud storage for data exfiltration, frequently using disposable email services like YOPmail for account setup.
- **Ransomware Lineage:** Confirmed BlackLock is a rebranded version of the Eldorado group and shows code similarities to the DragonForce strain.
## Recommendations
- Security teams should audit their public-facing web services, especially those used to host sensitive public information (like ransomware DLS), for critical misconfigurations such as weak path traversal controls (LFI vulnerabilities).
- Organizations should assume that ransomware groups utilize multi-cloud storage solutions like MEGA for exfiltration and monitor network traffic for Rclone usage patterns.
- Review security posture against affiliate recruitment models, as BlackLock was observed using actors to facilitate initial access via malicious pages.