BlackLock is a new ransomware-as-a-service (RaaS) group that has increased attacks and might become 2025’s most prominent RaaS group. Based on ReliaQuest Threat Spotlight, the BlackLock group was initially noticed in March 2024 using the name El Dorado. It rebranded as BlackLock at the end of 2024. BlackLock has become a primary participant in the RaaS ecosystem after its recruitment drive in May 2024 to get new affiliates. At the end of December 2024, BlackLock became the 7th most popular ransomware variant, then it became the 5th in January 2025, increasing its posts by 1,425% on its data leak website.
Someone nicknamed $$$ on the ransomware-focused forum RAMP became a key player in developing a good reputation for the group. It is now more prominent than other groups like Lynx, RansomHub, and Dragonforce on RAMP. In January 2025, BlackLock positioned 3rd when it comes to the number of posts on RAMP. BlackLock had 9X the number of posts on RAMP like RansomHub, the current most popular ransomware group.
Ransomware groups usually use RAMP to get new affiliates for their campaigns and through extensive connections on RAMP, Blacklock has gained a favorable standing in the ransomware community. The RAMP activity allowed the group to get new affiliates to carry out attacks, developers, traffers or people who lead users to malicious content like malware, and initial access brokers (IACs), which aren’t focused on RAMP by groups like Lynx, RansomHub, and Dragonforce. As ReliaQuest stated, some RaaS groups depend on their affiliates to acquire preliminary access to victims’ systems. By focusing on traffers and IACs, BlackLock could conduct attacks without needing any affiliate. The researchers say this extreme recruitment technique can explain the group’s quick increase in prominence in 2024.
Like other RaaS groups, Blacklock uses double extortion strategies, stealing information besides encrypting files. Then, the group sends threats to leak the stolen information to compel victims to give ransom payments. As opposed to other RaaS groups, which employ released ransomware builders, the group creates its malware. Although using exposed ransomware builders is simple, it makes it much easier for security experts to access and crack the code and uncover weaknesses. By creating its malware, it’s easier to avoid analysis by researchers. ReliaQuest additionally states that the BlackLock data leak website is rather atypical and was created to stop researchers and victims from getting leaked information. ReliaQuest states this strategy is probably used so that victims pay the ransom instantly before they can measure the magnitude of data theft.
Although the group doesn’t seem to target healthcare companies according to the present listings on its data leak website, the leak website does consist of companies that may offer solutions to healthcare companies. It is uncertain what path the group will take down the road. One probable strategy is attacking Microsoft’s Entra Connect. BlackLock has shown interest in using Entra Connect’s functions to breach victims’ on-premises settings without activating security alerts.
BlackLock quickly increased its strategies, focusing on companies in different industries and locations. If its present pace continues, it could rank as 2025’s most active ransomware group. It is recommended that healthcare companies use HIPAA encryption as a security measure against ransomware attacks.
Image credit: Suttipun, AdobeStock
