Do Son 
The BlackLock group is rapidly emerging as a dominant force among ransomware operators employing the RaaS (Ransomware-as-a-Service) model. According to research by DarkAtlas, BlackLock is not only expanding the scale of its operations but also exhibiting an unprecedented adaptability in its tactics—qualities that render it especially perilous across diverse industries.
Back in 2024, BlackLock—also known by the alias Eldorado—began targeting organizations with increasing aggression, deploying advanced encryption techniques and exploiting vulnerabilities in critical systems. By 2025, the group had earned recognition as one of the most active threat actors, with 48 confirmed attacks on major corporations and government institutions within just the first two months of the year.
The construction and technology sectors have borne the brunt of these incursions, suggesting a strategic pivot in BlackLock’s targeting priorities. DarkAtlas analysts emphasize that the group is increasingly focusing on complex infrastructures with high-value assets, aiming to inflict maximum damage with minimal resource expenditure.
A hallmark of BlackLock’s operations is its use of ransomware that renames files into random strings and appends arbitrary extensions. Victims are left with a ransom note titled HOW_RETURN_YOUR_DATA.TXT, containing payment instructions. This method, along with the public exposure of victim data on their dedicated leak site, has become a signature tactic.
The group actively recruits traffers—specialists in delivering malicious traffic and breaching initial access points. In contrast, the onboarding of high-level developers is conducted with greater discretion, suggesting tight internal segmentation and operational control.
BlackLock’s technical foundation also merits close scrutiny. Building on the capabilities of Eldorado, the group employs the Go programming language to craft cross-platform malware, leveraging the ChaCha20 and RSA-OAEP algorithms for encryption. This combination ensures fast and resilient performance on both Windows and Linux servers. The malware autonomously adapts to network environments, requiring domain administrator credentials or NTLM hashes to generate a customized encryptor tailored to each target.
Some attacks hint at the convergence of cybercriminal and hacktivist agendas. Amid escalating geopolitical tensions, such threats increasingly serve as instruments of influence aimed at the infrastructure of strategically critical sectors.
IT providers are also at heightened risk, as they offer potential vectors for further infiltration into supply chains. DarkAtlas reports that approximately 25% of BlackLock’s attacks have targeted government agencies, where not only encryptors but destructive wipers have been deployed.
Particular attention has been paid to the group’s communication channel—a Telegram account named Mamona R.I.P., believed to be a central hub for coordinating operations and liaising with affiliates.
The threat posed by BlackLock transcends conventional ransomware campaigns. Even if the group eventually rebrands or dissolves, its infrastructure and methodologies are likely to serve as a blueprint for the next generation of cyber threats. In an era where RaaS platforms democratize access to malicious tools, every organization must reassess its security posture and embrace proactive defense strategies.
