A new ransomware operation has shown explosive growth, with experts warning it could become the most dominant ransomware threat of 2025.
The BlackLock ransomware group, first observed in March 2024, has recorded a 1,425% increase in activity between October and December 2024, becoming the seventh most prolific ransomware operation globally.
ReliaQuest researchers revealed BlackLock uses custom-built malware targeting Windows, VMware ESXi, and Linux systems, setting it apart from competitors who rely on leaked ransomware code. The group's sophisticated data leak site includes features designed to prevent victims from assessing the scope of breaches.
BlackLock's rapid rise and technical sophistication indicate a new level of ransomware threat. Unlike other groups, BlackLock maintains control over early-stage attack operations, potentially making their attacks more effective and harder to defend against.
The group's emergence represents a shift in ransomware operations, with BlackLock showing nine times more activity on the RAMP cybercrime forum than its closest competitor. Their aggressive recruitment of technical specialists and "traffers" suggests a more organized and professional operation.
Researchers warn BlackLock may be planning to exploit Microsoft Entra Connect vulnerabilities in upcoming campaigns. Organizations are advised to strengthen their security measures, particularly around attribute synchronization rules and access policies.
They develop custom malware rather than using leaked code, making it harder for security researchers to analyze and defend against their attacks.
The group uses double extortion tactics, encrypting data while also stealing sensitive information, and prevents victims from assessing the scope of breaches through their specialized leak site.
Enable multi-factor authentication, disable unnecessary Remote Desktop Protocol access, and implement strict lockdown modes.