A new and unusually dangerous and sophisticated gang of cybercriminals, named BlackLock, has emerged as a major ransomware threat in 2025.
Cybersecurity company Reliaquest observed a staggering 1,425 percent increase in the gang’s activities in the last quarter of 2024. Its ransomware is built to target Windows, VMWare ESXi, and Linux environments and is designed as a double-extortion attack, which involves not only locking the target organization’s critical data by encrypting it, but also by identifying sensitive information and threatening to expose it.
“BlackLock’s rise has been both swift and strategic, targeting organizations across a wide range of sectors and geographies,” reports Reliaquest.
The threat posed by BlackLock is also magnified by the fact that the gang offers its ransomware as a service (RaaS) to other threat actors. Unlike its competitors, “Bl00dy,” “Dragonforce,” and “RA World”, BlackLock does not rely on off-the-shelf malware. Instead, it has gone to great lengths to develop its own in-house malware.
This makes it a nightmare for cybersecurity researchers, as it prevents them from assessing the scope of the damage caused by an attack. By keeping companies in the dark in this way, BlackLock is able to ramp up the pressure on victim organizations to pay up quickly, often before they have had sufficient time to evaluate the situation fully.
“When automated or frequent download attempts were detected, BlackLock’s site would respond with empty files containing only contact information—a technique we’d never seen before. This perplexing tactic was likely designed to frustrate investigators, forcing them to manually download files one by one—a time-consuming and labor-intensive process,” says Reliaquest.
BlackLock’s criminal recruitment drive
Just like any legitimate organization with an ambition to grow its market share quickly, BlackLock is currently engaged in a recruitment drive to attract sought-after workers with specific skills. In the case of criminal ransomware gangs, these key players are known as “traffers”. It is their job to drive malicious traffic and steer victims to harmful content. BlackLock’s current recruitment posts for ‘traffers ‘explicitly outline the job’s requirements. This evidences the ransomware gang’s urgent need to bring on candidates quickly in order to expand its nefarious activities rapidly in 2025.
Reliaquest also warns that it has found evidence suggesting that BlackLock may be planning to exploit Microsoft Entra Connect synchronization mechanics as part of its evolving attack strategy for 2025.
