A sophisticated new ransomware operation dubbed BlackLock has emerged as a significant threat to organizations worldwide, demonstrating advanced cross-platform capabilities and targeting diverse computing environments.\u00a0<\/p>\n
Originally operating under the name \u201cEl Dorado\u201d since March 2024, the group rebranded to BlackLock in September 2024, establishing itself as a formidable player in the ransomware landscape with victims spanning multiple countries and industries.<\/p>\n
BlackLock\u2019s technical sophistication lies in its development using the Go programming language, enabling the malware to execute seamlessly across Windows, Linux, and VMware ESXi systems<\/a>.\u00a0<\/p>\n This cross-platform approach significantly expands the attack surface, allowing threat actors to compromise entire IT infrastructures simultaneously.\u00a0<\/p>\n The ransomware operates under a Ransomware-as-a-Service (RaaS) model<\/a>, actively recruiting skilled affiliates through Russian-speaking cybercrime forums, particularly RAMP.<\/p>\n ASEC reports that<\/a> the ransomware implements robust cryptographic techniques, utilizing Go\u2019s crypto package to perform file encryption through ChaCha20.NewUnauthenticatedCipher() with randomly generated 32-byte FileKeys and 24-byte nonces for each targeted file.\u00a0<\/p>\n This approach ensures that every encrypted file receives a unique encryption key, making recovery virtually impossible without the attackers\u2019 decryption tools.<\/p>\n BlackLock\u2019s sophisticated key management system employs Elliptic Curve Diffie-Hellman (ECDH) key exchange to generate shared keys for metadata encryption.\u00a0<\/p>\n The ransomware appends encrypted metadata containing the FileKey and victim information to each file, protected by secretbox.Seal() encryption.\u00a0<\/p>\n This dual-layer encryption strategy prevents victims from independently recovering their data while ensuring the attackers can decrypt files upon ransom payment.<\/p>\n The malware supports extensive command-line arguments for operational flexibility, including -path for targeted encryption, -delay for timed execution, -threads for performance optimization, and -perc for partial file encryption to accelerate the attack process.\u00a0<\/p>\n Notably, the ransomware includes provisions for VMware ESXi environments through the -esxi option, though this feature remains unimplemented in the analyzed samples.<\/p>\n BlackLock demonstrates advanced network propagation capabilities by utilizing open-source projects like go-smb2 to scan and access SMB shared folders across Windows networks.\u00a0<\/p>\n The ransomware can authenticate using plaintext passwords<\/a> or NTLM hashes specified through the -u, -p, and -h parameters, enabling lateral movement across corporate networks and simultaneous encryption of networked storage systems.<\/p>\n To eliminate recovery options, BlackLock employs sophisticated data destruction techniques targeting Volume Shadow Copy Service (VSS) and Recycle Bin contents.\u00a0<\/p>\n Rather than executing obvious command-line instructions, the malware constructs COM object instances to execute WMI queries through shellcode loaded directly into memory, making detection significantly more challenging for security solutions.<\/p>\n The ransomware creates ransom notes titled HOW_RETURN_YOUR_DATA.TXT in every encrypted directory, containing threatening language that warns victims of business disruption and data leakage to customers and the public if ransom demands are not met.\u00a0<\/p>\n This psychological pressure tactic, combined with the technical impossibility of independent data recovery, creates substantial leverage for the attackers.<\/p>\n Organizations must implement comprehensive security strategies encompassing endpoint protection, network segmentation, and robust backup solutions to defend against this evolving threat landscape.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post BlackLock Ransomware Attacking Windows, Linux, and VMware ESXi Environments<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"BlackLock](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-119-1024x760.png?resize=1024%2C760&ssl=1\")
Advanced Encryption and Cross-Platform Capabilities<\/strong><\/h2>\n
![\"Ransom](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-118-992x1024.png?resize=992%2C1024&ssl=1\")