Cybersecurity researchers hacked into the systems of a ransomware group called BlackLock. This rare case of “hacking the hackers” exposed how the criminals operate. The breach revealed key details about their infrastructure, methods, and major mistakes.
Hackers Get Hacked: BlackLock’s Operations Revealed
The breakthrough came when Resecurity, a cybersecurity firm, found a flaw in BlackLock’s data leak site (DLS). The group used this site to publish stolen data and pressure victims to pay ransoms. However, due to a mistake in the site’s setup, researchers accessed sensitive files, login details, and even a full list of commands used by the hackers.
The flaw, called a local file inclusion (LFI) bug, let researchers trick the server into showing hidden information. It was a huge mistake by BlackLock. It revealed their real-world systems and exposed their secrets.
BlackLock’s Dirty Secrets: How the Ransomware Group Operates
The leak revealed some startling information about BlackLock’s tactics and tools. The hackers used MEGA, a popular cloud storage service, to move stolen data. Shockingly, they installed the MEGA app on victims’ systems to speed up the transfer.
BlackLock made at least eight MEGA accounts using temporary emails from YOPmail. These throwaway emails helped them stay hidden while storing stolen data online.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
The hackers used a tool called Rclone to steal data automatically. Rclone is a legit program for cloud storage. However, BlackLock misused it to quickly move large amounts of stolen data.
While analyzing BlackLock’s source code, researchers found similarities with another ransomware strain called DragonForce. Interestingly, although DragonForce is written in Visual C++, BlackLock uses Go—but the ransom notes and parts of the code were strikingly similar.
Ransomware Rivalry: BlackLock Defaced by DragonForce
In a strange twist, BlackLock was hacked by another group. On March 20, 2025, their data leak site was defaced by DragonForce. The rival group likely used the same flaw or a similar one. They leaked BlackLock’s chats and files on their public website.
Even more surprisingly, Mamona, another ransomware project linked to BlackLock, suffered a similar fate. On March 19, Mamona’s DLS was also defaced.
Medusa Ransomware Crisis: 300 Major Organizations Under Siege
The attack made people wonder if BlackLock and DragonForce were working together. Some experts thought DragonForce may have taken over BlackLock’s operations. Others believed BlackLock gave up control after realizing they were hacked.
The group’s main hacker, known as $$$, did not seem surprised after BlackLock and Mamona were attacked. This made researchers think he may have expected the hit. They believed he left the project quietly before it collapsed.
The Bigger Picture: BlackLock’s Global Impact
Before being exposed, BlackLock had become one of the most aggressive ransomware groups in 2025, targeting multiple industries including technology, manufacturing, construction, finance, and retail.
As of February 2025, BlackLock had listed 46 victims on its leak site. Their attacks affected companies and organizations in countries such as Argentina, Brazil, and Peru in South America; France, Italy, Spain, the Netherlands, Croatia, and the U.K. in Europe; Canada and the U.S. in North America; Congo and Aruba; and the United Arab Emirates in the Middle East.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
In January 2025, BlackLock started an underground network, inviting other hackers to join. Their partners, called traffers, helped in the first steps of attacks. They tricked victims into visiting fake websites with malware. This gave BlackLock access to company systems, leading to big ransomware attacks.
BlackLock’s big mistake, along with DragonForce’s attack, badly hurt the group. It is unclear if BlackLock will return with a new name. However, the breach has weakened their operations. It has given law enforcement and security experts an advantage against the criminals.
