Security researchers have reported on one of the fastest-growing and most formidable Ransomware-as-a-Service (RaaS) groups of 2025. Named “BlackLock” (aka El Dorado or Eldorado), the RaaS outfit has existed since March 2024, according to ReliaQuest, and has increased its number of data leak posts by an impressive 1425% quarter-on-quarter in Q4 of last quarter.
The threat intelligence vendor claimed that BlackLock could become the most active RaaS group in 2025. Although, like many other variants, it uses double extortion tactics and targets Windows, VMWare ESXi, and Linux environments, other characteristics set it apart.
These include:
- Custom-built malware, rather than leaked Babuk or LockBit builds, makes it harder for researchers to analyze
- Several data leak site features aimed at blocking researchers and organizations from downloading stolen data. This includes query detection and bogus file responses. If victim organizations can’t assess the scope of their breaches, they will feel more pressured into paying a ransom, said ReliaQuest
- There is a massive volume of activity on the RAMP forum, with nine times more posts than second-placed RansomHub as of January 2025. This indicates closer collaboration with affiliates, developers, and initial access brokers (IABs), among other things
- The group works with trusted IABs to speed up attacks for affiliates, although it may also directly compromise some victims.
ReliaQuest’s research also revealed that, while most RaaS operators delegate early-stage tasks to affiliates, BlackRock likes maintaining control, which has likely helped fuel its rapid rise. “BlackLock actively recruits key players, known as traffers, to support the early stages of ransomware attacks. These individuals drive malicious traffic, steer victims to harmful content, and help establish initial access for campaigns. Recruitment posts for traffers explicitly outline requirements, signaling BlackLock’s urgency to bring on candidates quickly, often prioritizing speed over operational security,” the report explained. “In contrast, posts seeking higher-level developer and programmer roles are far more discreet, with details and resumes shared privately instead. These roles likely involve greater trust, higher compensation, and long-term commitment, making the recruitment process more delicate.”
ReliaQuest warned that the group may exploit Microsoft Entra Connect synchronization mechanics to compromise on-premises environments in 2025. It urged organizations using the feature to harden attribute synchronization rules, monitor and restrict key registrations, and enforce conditional access policies.
Other best practice advice for network defenders includes enabling multi-factor authentication (MFA), disabling Remote Desktop Protocol (RDP) on unnecessary systems, configuring ESXi hosts to enable strict lockdown mode, restricting network access, and disabling other unnecessary services (e.g., SNMP, vMotion).
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments