Full Report
DarkAtlas researchers have uncovered a direct link between BlackLock and the Eldorado ransomware group, confirming a rebranded identity of the notorious threat actor
Analysis Summary
# Threat Actor: BlackLock (Rebrand of Eldorado)
## Attribution & Identity
* **Identification:** Threat actor confirmed to be a rebranded version of the notorious ransomware group **Eldorado**.
* **Associated Groups:** Eldorado (predecessor).
* **Operations Model:** Operates as a Ransomware-as-a-Service (RaaS) operation.
## Activity Summary
* BlackLock emerged after the original Eldorado group faced increased scrutiny from law enforcement and security experts, continuing its operations under the new moniker.
* In the first two months of the year (2025), BlackLock executed 48 attacks.
* They have been observed utilizing both ransomware and destructive wipers against government agencies.
## Tactics, Techniques & Procedures
* **Flexibility:** Operates with a high degree of flexibility, making tactics difficult to anticipate.
* **Ransomware Execution:** Encrypts files and renames them using randomized extensions.
* **Ransom Note:** Delivers a ransom note titled “HOW\_RETURN\_YOUR\_DATA.TXT.”
* **Speed:** Employs fast encryption speeds to maximize disruption.
* **Specific TTPs:** Use of ransomware and destructive wipers against government agencies.
* **Communication:** Identified on encrypted messaging platforms for communication.
## Targeting
* **Sectors:** Construction and Real Estate firms were the most impacted sectors. Multiple other sectors were also affected.
* **Geography:** Not explicitly detailed, but global operations implied by the nature of RaaS.
* **Victims:** Government agencies were targeted with both ransomware and wipers.
## Tools & Infrastructure
* **Malware Families Used:** BlackLock Ransomware.
* **Infrastructure:** Communication noted on encrypted messaging platforms. (No specific C2 domains/IPs were identified in the provided context).
## Implications
BlackLock represents a persistent and adaptive threat, successfully evading disruption by rebranding from Eldorado. Their use of fast encryption and targeting high-value sectors (including government) indicates a high operational tempo focused on maximizing financial impact and organizational disruption.
## Mitigations
* Implement robust defenses against ransomware, focusing on rapid detection and remediation due to their fast encryption speeds.
* Monitor indicators related to the communication channels used by the group (encrypted messaging platforms).
* Ensure comprehensive backups and offline recovery plans, especially for high-value sectors like construction, real estate, and government.