BlackLock is a Go-based, cross-platform ransomware family first observed publicly in June 2024 (initially named El Dorado) that targets Windows, Linux, and VMware ESXi environments and uses per-file XChaCha20 encryption with ECDH-protected metadata to prevent recovery without attacker cooperation. The group operates as a Ransomware-as-a-Service (RaaS), targets diverse sectors across multiple countries, and leverages SMB access, shellcode-based VSS deletion, and multilingual signals linking developers to Russian-speaking forums. #BlackLock #ElDorado
Keypoints
- BlackLock (formerly El Dorado) is a Go-written ransomware active since at least early 2024, publicly identified in June 2024 and rebranded around September 2024.
- The ransomware is cross-platform (Windows, Linux, VMware ESXi) and can target local drives and SMB shared folders, increasing its potential impact across environments.
- Encryption uses per-file randomly generated FileKey and nonce with XChaCha20 (ChaCha20.NewUnauthenticatedCipher) and appends encrypted metadata for recovery using an ECDH-derived shared key.
- BlackLock supports numerous command-line options to control target paths, delays, threading, partial-file encryption, SMB credentials, and encryption ordering (e.g., -path, -perc, -threads, -n, -u, -p, -h, -sort).
- After encryption the malware deletes Volume Shadow Copies and Recycle Bin data via shellcode that constructs and uses a COM object to execute WMI queries in memory, making artifacts and detection more difficult.
- The group operates as RaaS, recruits affiliates on Russian-speaking forums (RAMP), and linguistic patterns indicate Russian-speaking developers; victims span government, education, transportation, manufacturing, and other sectors internationally.
- AhnLab detections and an MD5 sample hash are provided, indicating vendor visibility and at least one known sample for analysis.
MITRE Techniques
- [T1490] Inhibit System Recovery – BlackLock enumerates and deletes Volume Shadow Copies and Recycle Bin data using WMI queries executed via a COM object instantiated and invoked by shellcode loaded and run in memory (“shellcode execution (Volume Shadow Data deletion feature)”).
- [T1486] Data Encrypted for Impact – BlackLock encrypts files using per-file XChaCha20 stream cipher (ChaCha20.NewUnauthenticatedCipher()) with randomly generated FileKey and Nonce and appends encrypted metadata so files remain inaccessible without attacker cooperation (“generating a random FileKey (32 bytes)” and “Random nonce generation (24 bytes)”).
- [T1078] Valid Accounts (Credential Access / Lateral Movement) – BlackLock accepts plaintext passwords and NTLM hashes to access SMB shared folders (execution options -u, -p, -h) to spread and encrypt networked resources (“Username to be used when accessing the SMB share folder”, “Plain text password… NTLM hash…”).
- [T1021.002] Remote Services: SMB/Windows Admin Shares – The ransomware uses SMB scanning and access (via open-source go-smb2) to discover and encrypt SMB shared folders on remote hosts (“uses open-source projects like go-smb2 to scan and access SMB shared folders”).
- [T1059] Command and Scripting Interpreter (Execution Options) – BlackLock supports numerous command-line arguments to control runtime behavior (e.g., -path, -delay, -time, -perc, -threads, -skip-net, -test, -hide) enabling scripted or manual customization of encryption operations (“supports various command-line arguments to enable or disable specific features”).
- [T1204] User Execution (Ransom Note / Impact) – The ransomware drops a ransom note (HOW_RETURN_YOUR_DATA.TXT) in every encrypted directory and displays threatening messages to coerce payment (“A ransom note titled HOW_RETURN_YOUR_DATA.TXT is dropped in every directory where encryption has occurred”).
- [T1499] Endpoint Denial of Service (Partial/File Blocking) – BlackLock can encrypt only portions of files using a ‘-perc’ option to encrypt a percentage of 1 MiB blocks, potentially maximizing disruption while minimizing time to impact (“-perc Percentage of blocks (1 MiB each) to be encrypted”).
Indicators of Compromise
- [File Hash ] Sample malware binary – MD5: f392807da3ee1f3e9702ce5fa91d418d
- [File Names ] Ransom note and artifacts – HOW_RETURN_YOUR_DATA.TXT (ransom note), encrypted files renamed with random extensions
- [Tools/Components ] Open-source library usage – go-smb2 (SMB scanning/access), Go runtime (cross-platform binaries)
- [Detection Signatures ] Vendor detections – AhnLab V3 detections (e.g., Ransom/MDP.Decoy.M1171, Ransom/MDP.Event.M1946) and EDR detection Behavior/DETECT.Event.M2662
Read more: https://asec.ahnlab.com/en/90175/