BlackLock Ransomware Targets Windows, Linux, and VMware ESXi Systems

BlackLock, a rebranded ransomware group formerly known as El Dorado, has emerged as a formidable threat to organizations worldwide.

First identified in June 2024 when its Dedicated Leak Site (DLS) began exposing victim data, the gang is believed to have been active since March 2024.

The latest analysis by AhnLab Security Intelligence Center (ASEC) sheds light on BlackLock’s cross-platform capabilities, sophisticated encryption routines, and stealthy backup deletion tactics.

Organizations are advised to review their defenses and incident response plans to prepare for potential BlackLock incidents.

Cross-Platform Reach and Victim Profile

Written in Go, BlackLock ransomware can target Windows, Linux, and VMware ESXi systems with a single binary.

This cross-platform flexibility allows affiliates to compromise mixed environments simultaneously.

Most recorded incidents have involved U.S. enterprises and local government agencies, but attacks in South Korea, Japan, Europe, and other regions highlight the group’s global reach.

Industries impacted include public institutions, consulting firms, educational and research organizations, transportation networks, construction companies, manufacturing plants, and even leisure facilities such as golf resorts.

Analysis of code comments and forum activity on the Russian-speaking cybercrime platform RAMP suggests the core developers are Russian speakers, operating under a Ransomware-as-a-Service (RaaS) model to recruit skilled affiliates.

ASEC’s report details how BlackLock leverages Go’s standard libraries to simplify development and ensure stable operation.

Upon execution, the ransomware parses command-line arguments to customize its behavior. Without options, it encrypts the entire local drive.

Operators can adjust parameters such as target paths, encryption delay, partial file encryption percentage, thread count, and remote SMB share scanning.

Although an ‘-esxi’ flag is included for VMware environments, this feature remains unimplemented in analyzed samples.

Encryption is handled using the ChaCha20 stream cipher via Go’s crypto package. For each file, the ransomware generates a random 32-byte FileKey and 24-byte nonce, constructs an XChaCha20 cipher, and encrypts data with XORKeyStream.

To preserve the ability to decrypt files after ransom payment, BlackLock appends encrypted metadata including the FileKey and nonce to each file.

Metadata encryption employs an Elliptic Curve Diffie-Hellman (ECDH) key exchange and secretbox.Seal() to prevent victims from extracting the FileKey without paying.

Following encryption, BlackLock deploys a covert backup deletion routine. Instead of issuing direct WMI commands, it crafts a COM object to execute WMI queries from memory via embedded shellcode, targeting Volume Shadow Copy Service snapshots and the Recycle Bin.

Victims find their files renamed with random extensions and a ransom note titled HOW_RETURN_YOUR_DATA.TXT in every affected directory. The note warns of business disruption or public data leaks should the ransom remain unpaid.

ASEC’s findings underscore the importance of layered defenses, offline backups, and robust monitoring of remote code execution and unusual process activity.

Organizations running Windows, Linux, or VMware ESXi should prioritize patch management, network segmentation, and regular backup integrity testing to mitigate the evolving BlackLock threat.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.