Its modular design, advanced encryption routines, and Ransomware-as-a-Service model make it a significant threat to organizations across multiple industries.
BlackLock first surfaced publicly in June 2024 when researchers discovered a Dedicated Leak Site (DLS) posting multiple victim disclosures, although evidence suggests the group began operations in March 2024.
Initially known as El Dorado, the group rebranded to BlackLock in September 2024.
Written in the Go programming language, BlackLock can compile a single binary capable of executing on Windows, Linux, and VMware ESXi hosts.
This design choice leverages Go’s standard library to implement encryption features via built-in packages such as encoding crypto, and integrates open-source modules (e.g., go-smb2) to access SMB shared folders on Windows.
The result is a unified codebase that maximizes development efficiency and ensures consistent functionality across diverse operating environments.
Targeted sectors to date include public institutions, education and research, transportation, manufacturing, and even golf resorts in regions spanning the United States, South Korea, and Japan.
Upon execution, BlackLock accepts a variety of command-line parameters to customize its behavior.
By default, it encrypts all local drives, but operators can specify paths, set encryption delays, limit encryption coverage by percentage, sort folders in descending order for priority encryption, or target remote hosts via SMB.
Although an “-esxi” flag exists for VMware environments, the analyzed samples lack an implemented ESXi module, indicating future expansion plans.
Encryption is performed per file using Go’s ChaCha20.NewUnauthenticatedCipher(), generating a unique 32-byte FileKey and 24-byte nonce for each file.
The ransomware then encrypts file contents XORKeyStream() and appends both the encrypted metadata and a length field to the file end.
To safeguard the metadata, BlackLock employs Elliptic Curve Diffie-Hellman (ECDH) key exchange: the attacker’s private key and the embedded victim’s public key derive a shared secret used to encrypt metadata with secretbox.Seal().
This ensures that only the threat actor, in possession of the corresponding private key, can decrypt the appended information.
After completing encryption, BlackLock loads shellcode in memory to stealthily execute WMI queries through a COM object, deleting Volume Shadow Copies and clearing the Recycle Bin to prevent recovery.
Files are renamed with random extensions, and a ransom note titled HOW_RETURN_YOUR_DATA.TXT is dropped in each affected directory.
The note warns of business disruption and data leakage should the ransom remain unpaid. Operating under a Ransomware-as-a-Service (RaaS) model, BlackLock recruits affiliates on Russian-language cybercrime forums, indicating a robust ecosystem.
Linguistic analysis points to Russian-speaking developers, and promotion on RAMP underscores the group’s forum activity.
BlackLock’s cross-platform reach and modular command-line controls present a formidable risk, capable of encrypting entire local systems, network shares, and, eventually, ESXi hosts.
Security teams should implement rigorous backup strategies, isolate critical systems from SMB exposures, and deploy endpoint protection capable of detecting anomalous Go-based binaries and in-memory shellcode execution.
Following the AhnLab Security Intelligence Center’s response guidelines, including behavioral detection signatures for ChaCha20 and ECDH routines, will help organizations detect and contain BlackLock attacks before encryption occurs.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
The post BlackLock Ransomware Actively Targeting Windows, Linux, and VMware ESXi Environments appeared first on Cyber Security News.
A jump starter is an essential part of car's emergency kit, but you don't need…
FORT WAYNE, Ind. (WOWO) — Rain is possible again in Indiana this weekend as temperatures…
MIAIMI COUNTY, Ind. (WOWO) — Federal government payments to keep immigration detainees at an Indiana…
U.S. Secretary of Defense Pete Hegseth listens to questions during a news conference at the…
Guess they weren’t kidding with that “Oscars host for life” sketch at last year’s show.…
Christopher Nolan has confirmed a casting twist for his upcoming “mythic action epic,” The Odyssey.…
This website uses cookies.