In an extraordinary reversal of roles, cybersecurity firm Resecurity has admitted to hacking into the infrastructure of the BlackLock ransomware group, gathering insider intelligence, and working with national authorities to prevent imminent data leaks.

The covert operation unfolded during the 2024 holiday season when Resecurity discovered a vulnerability in BlackLock’s TOR-based data leak site (DLS), allowing it to extract vital configuration files, login credentials, and insight into the group’s operations.

The firm uncovered a wealth of information, including internal command histories and reused credentials, which gave them deep visibility into BlackLock’s operations.

Using this intelligence, Resecurity was able to alert victims and government cyber agencies in Canada and France ahead of scheduled data leaks. The incident sheds new light on the potential of proactive security tactics in dismantling organized cybercrime.

Why It Matters: This rare instance of a private security firm successfully infiltrating a ransomware operation, and aiding international authorities, is an example of offensive cybersecurity tactics. It demonstrates how targeted intervention can mitigate harm even when attacks can’t be stopped entirely.

• A Tactical Exploit of BlackLock’s DLS Infrastructure: Resecurity discovered and exploited a Local File Include (LFI) vulnerability on BlackLock’s TOR-based Data Leak Site (DLS), allowing them to retrieve sensitive internal files from the ransomware group’s servers. This included configuration files, logs, and even admin credentials. The discovery of clearnet IP addresses, servers outside the anonymous TOR network, further allowed investigators to track the gang’s operational infrastructure, a rare but critical lapse in OPSEC by a seasoned cybercrime syndicate.

• Credential Reuse Leads to Deeper Access into the Network: Among the trove of compromised data was a command history from a lead BlackLock operator known as “$$$,” revealing plaintext credentials that had been copy-pasted and reused across multiple accounts. Resecurity analysts capitalized on this misstep to gain deeper access into the gang’s ecosystem, uncovering overlapping infrastructure and user accounts that tied BlackLock to other ransomware entities. This level of access offered a unique window into the day-to-day operations of the group, including data exfiltration methods, storage locations, and internal communication habits.

• Pre-Leak Alerts to Global Victims and Cybersecurity Agencies: With insight into the group’s internal schedule for leaking stolen data, Resecurity provided advanced warnings to victims ahead of planned disclosures. Notably, a French legal services provider was contacted two days before their data was set to go public, and a Canadian victim received an alert 13 days prior to their exposure. These notifications were coordinated with national cybersecurity agencies, such as CERT-FR in France and the Canadian Centre for Cyber Security, allowing affected organizations to activate crisis communications and incident response plans in advance.

• Unmasking of Interconnected Ransomware Operations: The operation not only disrupted BlackLock, but also highlighted its deep ties with other ransomware groups, namely El Dorado and Mamona. Victim lists, infrastructure, and malware codebases showed substantial overlap, suggesting these brands may be different faces of the same operation. Resecurity noted that El Dorado had previously targeted organizations in Ohio, Kansas, and Florida, with stolen data later appearing on BlackLock’s DLS. This evidence further supports the theory that multiple ransomware “brands” are often rebrands or offshoots of a central criminal entity.

• Suspicious Defection and False Flag Possibility Involving DragonForce: A parallel breach of BlackLock’s DLS, allegedly by rival gang DragonForce, raised questions about internal politics within the ransomware ecosystem. Although the defacement appeared to be a separate attack, Resecurity noted striking similarities between BlackLock and DragonForce’s malware, hinting that the two may share development resources or even leadership. The fact that $$$, BlackLock’s lead operator, showed no resistance or outrage over the attack and instead referred to DragonForce members as “gentlemen” suggests a possible orchestrated handoff or defection. The entire sequence might have been a strategic exit masked as an external takedown.

Go Deeper -> Security shop pwns ransomware gang, passes insider info to authorities – The Register