Analysis Summary
# Threat Actor: BlackLock (Ransomware Group)
## Attribution & Identity
- **Threat Actor Name:** BlackLock
- **Aliases:** El Dorado, Eldorado
- **Associated Groups/Ecosystem:** Ransomware-as-a-Service (RaaS) ecosystem. The representative user on the RAMP forum is identified as "$$$". It is noted to back groups like Dragonforce and Lynx.
## Activity Summary
- **First Observed:** March 2024.
- **Prolificacy:** By Q4 2024, BlackLock ranked as the 7th most prolific ransomware group on data-leak sites, experiencing a 1,425% increase in activity from Q3 2024.
- **Projection:** Predicted to potentially claim the top spot as the most active ransomware group in 2025 if the current trajectory continues.
- **Forum Activity:** Highly active on the Russian-language forum RAMP, with its representative ("$$$") showing significantly higher engagement (9x more posts than RansomHub's operator as of Jan 2025) to build trust and secure resources.
- **Future Focus:** Likely pivoting to target **Entra Connect** (Azure AD Connect) vulnerabilities for Identity and Access Management (IAM) attacks.
## Tactics, Techniques & Procedures
- **Extortion Method:** Utilizes **double extortion** (data encryption alongside data theft/exfiltration).
- **Custom Malware Development:** Develops and uses bespoke, custom-built ransomware malware, distinguishing itself from groups relying on leaked builders (e.g., Babuk or LockBit). This approach aims to keep research/defenses difficult.
- **Data-Leak Site Evasion:** Employs novel techniques on its data-leak site to frustrate researchers and delay victim assessment:
- **Query Detection:** Stops responding to rapid GET requests used to extract folder names (bypassed by limiting requests to one per second).
- **Bogus File Responses:** Responds to automated download attempts with empty files containing only contact information (bypassed by randomizing intervals and rotating session details).
- **Targeting Strategy:** Likely planning to exploit synchronization flows between on-premises and cloud environments via **Entra Connect tradecraft** to escalate privileges and maintain persistence.
## Targeting
- **Sectors:** A wide range of sectors (unspecified, but broad).
- **Geography:** Targets organizations across a wide range of geographies (unspecified).
- **Victims:** No specific organizations were named in the provided text, but analysis involved reviewing data on named victims.
## Tools & Infrastructure
- **Malware Families Used:** Custom Ransomware variant targeting Windows, VMWare ESXi, and Linux environments (Linux version is less featured).
- **Infrastructure:** Operates a unique, technically customized data-leak site designed to block automated extraction of breach scope data.
- **Targeted Systems/Infrastructure:** Anticipated focus on **Entra Connect** infrastructure and potentially IAM systems like VMware AirWatch and Cisco Identity Services Engine.
## Implications
BlackLock is positioned as a highly technically sophisticated and rapidly scaling RaaS operation. Their use of custom malware mirrors top-tier actors, offering resilience against known defensive signatures derived from leaked builders. Their innovative data-leak site techniques pressure victims into faster ransom payments by obstructing breach assessment. The anticipated pivot toward Entra Connect exploitation in 2025 signals a dangerous focus on Identity and Access Management (IAM) attacks, which can lead to catastrophic domain compromise via hybrid cloud exploitation.
## Mitigations
- **Harden Attribute Synchronization Rules:** Customize Entra Connect sync rules to disable unnecessary attribute flows, especially for sensitive attributes like `msDS-KeyCredentialLink`.
- **Monitor and Restrict Key Registrations:** Enforce administrator approval for all key registrations in Entra ID and regularly audit the `msDS-KeyCredentialLink` attribute for unauthorized changes.
- **Enforce Conditional Access Policies:** Apply location- or risk-based restrictions and require compliant devices for key registrations to prevent rogue key establishment or unauthorized syncs.
- **Invest in Hands-On Research Capabilities:** Organizations must anticipate and prepare to counter novel evasion techniques used on data-leak sites and in malware execution by relying on active threat hunting rather than solely automated defenses.