A 1425% Surge in BlackLock Ransomware Attacks Alarms Cybersecurity Experts
BlackLock Ransomware’s Explosive Growth
BlackLock ransomware, first identified in March 2024, is quickly becoming a major player in the ransomware-as-a-service (RaaS) ecosystem. Its activity has increased dramatically, showcasing its potential to be the most active ransomware gang in 2025.
Cybersecurity firm Reliaquest reported a staggering 1,425% surge in BlackLock’s activity in the last quarter of 2024, propelling it to the seventh most active ransomware group. This rapid growth highlights the escalating threat posed by this cybercriminal group.
BlackLock’s Unique Approach to Ransomware Attacks
Unlike many ransomware groups that utilize leaked builders like Babuk or LockBit, BlackLock distinguishes itself by developing its own custom malware. This approach offers several advantages.
While leaked builders are readily available, they also provide security researchers with opportunities to analyze the code, identify vulnerabilities, and develop countermeasures. BlackLock’s custom malware, however, remains largely unanalyzed, making it more difficult to defend against.
Double Extortion and a Sophisticated Leak Site
BlackLock employs a double extortion tactic, combining data encryption with data exfiltration. Victims’ data is both encrypted, rendering it inaccessible, and stolen, creating a powerful leverage point for the attackers.
The threat of public data disclosure significantly increases the pressure on victims to pay the ransom. The ransomware targets Windows, VMware ESXi, and Linux systems, although the Linux variant is less developed.
BlackLock utilizes a custom-built leak site, a key component of its operational effectiveness.
Researchers at Reliaquest noted, “Unlike most other leak sites, BlackLock’s platform is packed with features likely designed to prevent targeted organizations from assessing the scope of their breaches.”
This obfuscation intensifies the pressure on organizations to pay ransoms rapidly, often before a full assessment of the damage can be completed. This strategy is highly effective in maximizing the ransomware group’s financial gains.
Recruitment and Operational Strategy
BlackLock primarily uses the Russian-language cybercriminal forum RAMP to recruit affiliates. The group actively seeks “traffickers” to assist in the early stages of attacks, including driving malicious traffic and establishing initial access.
“Recruitment posts for traffers explicitly outline requirements, signaling BlackLock’s urgency to bring on candidates quickly – often prioritizing speed over operational security,” according to the Reliaquest report.
Recruitment for higher-level developer and programmer roles is more discreet, reflecting a need for greater trust and long-term commitment. Interestingly, affiliate recruitment often precedes major attack waves, suggesting a deliberate strategy.
The recruitment process and operational strategy of BlackLock ransomware are sophisticated and effective in supporting their rapid growth and success.
