Security researchers have lifted the lid on one of the fastest growing and formidable ransomware-as-a-service (RaaS) groups of 2025.
Dubbed “BlackLock” (aka El Dorado or Eldorado), the RaaS outfit has been around since March 2024 and has increased its number of data leak posts by a staggering 1425% quarter-on-quarter in Q4 of last year, according to ReliaQuest.
The threat intelligence vendor claimed that BlackLock could become the most active RaaS group of 2025.
Although, like many other variants, it uses double extortion tactics and targets Windows, VMWare ESXi and Linux environments, there are other characteristics that set it apart.
These include:
- Custom-built malware, rather than leaked Babuk or LockBit builds, making it harder for researchers to analyze
- Several data leak site features aimed at blocking researchers and organizations from downloading stolen data. This includes query detection and bogus file responses. If victim organizations can’t assess the scope of their breaches, they will feel more pressured into paying a ransom, said ReliaQuest
- A huge volume of activity on RAMP forum, with nine times more posts than second-placed RansomHub, as of January 2025. This indicates closer collaboration with affiliates, developers and initial access brokers (IABs), among other things
- The group works with trusted IABs to speed up attacks for affiliates, although it may also directly compromise some victims
ReliaQuest’s research also revealed that, while most RaaS operators delegate early-stage tasks to affiliates, BlackLock likes to maintain control – something that has likely helped fuel its rapid rise.
“BlackLock actively recruits key players, known as traffers, to support the early stages of ransomware attacks. These individuals drive malicious traffic, steer victims to harmful content, and help establish initial access for campaigns. Recruitment posts for traffers explicitly outline requirements, signaling BlackLock’s urgency to bring on candidates quickly – often prioritizing speed over operational security,” the report explained.
“In contrast, posts seeking higher-level developer and programmer roles are far more discreet, with details and resumes shared privately instead. These roles likely involve greater trust, higher compensation, and long-term commitment, making the recruitment process more delicate.”
Read more about ransomware groups: The Top 10 Most Active Ransomware Groups of 2024
Entra Connect Could be Next
ReliaQuest warned that the group may be planning to exploit Microsoft Entra Connect synchronization mechanics in a bid to compromise on-premises environments this year.
It urged organizations using the feature to harden attribute synchronization rules, monitor and restrict key registrations, and enforce conditional access policies.
Other best practice advice for network defenders includes enabling multi-factor authentication (MFA), disabling Remote Desktop Protocol (RDP) on unnecessary systems, configuring ESXi hosts to enable strict lockdown mode, restricting network access and disabling other unnecessary services (e.g. SNMP, vMotion).
