Ransomware not only continues to threaten organizations, but new evidence suggests it is once again a growing problem; now, a specific operator is proving to be of particular concern. According to security analysts from Reliaquest, BlackLock is the world’s fastest-rising ransomware threat, and unless you take action quickly, you could be the next victim. Here’s what you need to know.
Ransomware Is On The Rise
The bad news is that the ransomware threat has not gone away despite successful law enforcement disruption to leading criminal operators such as LockBit during 2024, and the FBI has just issued an urgent security advisory regarding one notorious cybercrime actor. The good news is that while the threat from ransomware actors is growing, it’s growing relatively slowly. A Jan. 31 analysis had reported attack incidents rising by 15% from 2023 to 2024, but a Feb. 20 Symantec Threat Hunter report shows a much slower growth of just 3%. The conclusion to be drawn is the same, whatever number you prefer, and that’s ransomware is here to stay. One particular ransomware group, however, is proving more problematic than most in terms of growth. According to a Feb. 18 Reliaquest analysis, BlackLock has grown more than any other, with a whopping 1,425% increase in activity since quarter three of 2024. While this only ranks it as the seventh most prolific player in the criminal ransomware ecosystem, underestimate the risk of this threat which “is built to target Windows, VMWare ESXi, and Linux environments,” at your peril, Reliaquest warned.
What You Need To Know About The BlackLock Ransomware Threat
The Reliaquest security analysts have predicted that, if the current trajectory continues, BlackLock will become the most active ransomware player during 2025. Given that it has been observed targeting enterprises across a broad range of sectors and geographies, that could prove very problematic indeed. By analyzing the activity of the group and its primary spokesperson called $$$, yes, really, on underground crime forums alongside communication and infrastructure intelligence, Reliaquest was able to reveal the features that set BlackLock apart from the crowd in what is a very competitive criminal landscape.
One of these was the way that BlackLock protects the data-leak site from researchers and victims looking to download exfiltrated data and assess the scope of any breach incident. Send too many GET requests and it will stop sending responses, automated or frequent data download attempts are met with files empty of anything but contact details. “A technique we’d never seen before,” the researchers said, “likely designed to frustrate investigators, forcing them to manually download files one by one.” Such roadblocks are used to good effect to ramp up the pressure on target organizations to pay up quickly and before they have had a chance to evaluate incident reach properly.
BlackLock also actively recruits key players which are referred to as “traffers” to assist with the early stages of any ransomware attack. Through adverts and posting by the aforementioned $$$, these associates are engaged to “drive malicious traffic, steer victims to harmful content, and help establish initial access for campaigns.” Emphasizing a desire for growth over operational security concerns could prove problematic as BlackLock comes to the attention of the FBI and others. “In contrast,” the researchers said, “posts seeking higher-level developer and programmer roles are far more discreet, with details and resumes shared privately instead.”
Mitigating The BlackLock Ransomware Threat
Reliaquest advised that organizations should secure any ESXi environments as a matter of urgency. In particular, it suggested three steps that need to be taken:
- Disable unnecessary services—turn off unused management services such as vMotion, Simple Network Management Protocol (SNMP), and redundant HTTPS interfaces to minimize attack surfaces.
- Enable strict lockdown mode—to complicate BlackLock’s ability to exploit weak interfaces, configure ESXi hosts to allow management exclusively through vCenter.
- Restrict network Aaccess—use identity-aware firewalls or strict access control lists to block BlackLock from accessing ESXi hosts or moving laterally.
In addition, the report concluded that enabling multi-factor authentication and disabling Remote Desktop Protocol on unnecessary systems should be regarded as a given when securing any networks against the ransomware threat.
