Blacklock Ransomware Infrastructure Breached, Revealing Planned Attacks

Resecurity, a prominent cybersecurity firm, has successfully exploited a vulnerability in the Data Leak Site (DLS) of Blacklock Ransomware, gaining unprecedented access to the group’s infrastructure.

This breach, occurring during the winter of 2024-2025, allowed researchers to collect substantial intelligence about the ransomware group’s activities and planned attacks.

Exploitation of Local File Include Vulnerability

The compromise was achieved through the exploitation of a Local File Include (LFI) vulnerability present in the DLS hosted on the TOR network.

This security flaw enabled Resecurity’s analysts to acquire critical artifacts related to the threat actors’ network infrastructure, including logs, associated file-sharing accounts, and timestamps of logins.

Uncovering Planned Attacks and Victim Data

Leveraging the gained access, Resecurity was able to collect information about planned data publications from victims up to 13 days before the threat actors intended to release it.

In one instance, the firm alerted the Canadian Centre for ...