Ransomware Strikes

Ransomware Is On The Rise

The bad news is that the ransomware threat has not gone away despite successful law enforcement disruption to leading criminal operators such as LockBit during 2024, and the FBI has just issued an urgent security advisory regarding one notorious cybercrime actor. The good news is that while the threat from ransomware actors is growing, it’s growing relatively slowly. A Jan. 31 analysis had reported attack incidents rising by 15% from 2023 to 2024, but a Feb. 20 Symantec Threat Hunter report shows a much slower growth of just 3%. The conclusion to be drawn is the same, whatever number you prefer, and that’s ransomware is here to stay. One particular ransomware group, however, is proving more problematic than most in terms of growth. According to a Feb. 18 Reliaquest analysis, BlackLock has grown more than any other, with a whopping 1,425% increase in activity since quarter three of 2024.

What You Need To Know About The BlackLock Ransomware Threat

The Reliaquest security analysts have predicted that, if the current trajectory continues, BlackLock will become the most active ransomware player during 2025. Given that it has been observed targeting enterprises across a broad range of sectors and geographies, that could prove very problematic indeed. By analyzing the activity of the group and its primary spokesperson called $$$, yes, really, on underground crime forums alongside communication and infrastructure intelligence, Reliaquest was able to reveal the features that set BlackLock apart from the crowd in what is a very competitive criminal landscape.

Features That Set BlackLock Apart

One of these was the way that BlackLock protects the data-leak site from researchers and victims looking to download exfiltrated data and assess the scope of any breach incident. Send too many GET requests and it will stop sending responses, automated or frequent data download attempts are met with files empty of anything but contact details. “A technique we’d never seen before,” the researchers said, “likely designed to frustrate investigators, forcing them to manually download files one by one.” Such roadblocks are used to good effect to ramp up the pressure on target organizations to pay up quickly and before they have had a chance to evaluate incident reach properly.

Recruitment of Key Players

BlackLock also actively recruits key players which are referred to as “traffers” to assist with the early stages of any ransomware attack. Through adverts and posting by the aforementioned $$$, these associates are engaged to “drive malicious traffic, steer victims to harmful content, and help establish initial access for campaigns.” Emphasizing a desire for growth over operational security concerns could prove problematic as BlackLock comes to the attention of the FBI and others. “In contrast,” the researchers said, “posts seeking higher-level developer and programmer roles are far more discreet, with details and resumes shared privately instead.”

Mitigating The BlackLock Ransomware Threat

1. Disable unnecessary services—turn off unused management services such as vMotion, Simple Network Management Protocol (SNMP), and redundant HTTPS interfaces to minimize attack surfaces.
2. Enable strict lockdown mode—to complicate BlackLock’s ability to exploit weak interfaces, configure ESXi hosts to allow management exclusively through vCenter.
3. Restrict network access—use identity-aware firewalls or strict access control lists to block BlackLock from accessing ESXi hosts or moving laterally.

In addition, the report concluded that enabling multi-factor authentication and disabling Remote Desktop Protocol on unnecessary systems should be regarded as a given when securing any networks against the ransomware threat.

Conclusion

Ransomware is a serious threat that requires attention and action to mitigate. By understanding the features that set BlackLock apart from other ransomware threats, organizations can take steps to secure their networks and protect themselves against this growing threat.

FAQs

Q: What is BlackLock ransomware?

A: BlackLock is a type of ransomware that is rapidly growing in popularity and activity.

Q: What are the features that set BlackLock apart from other ransomware threats?

A: BlackLock protects its data-leak site, actively recruits key players, and uses roadblocks to frustrate investigators and pressure target organizations to pay up quickly.

Q: How can organizations mitigate the BlackLock ransomware threat?

A: Organizations can disable unnecessary services, enable strict lockdown mode, restrict network access, and enable multi-factor authentication and disabling Remote Desktop Protocol on unnecessary systems.