DigitalXRAID

Fastest Rising Ransomware Threat

DigitalXRAID’s Security Analysts have seen a rising trend in a specific ransomware operator, BlackLock. They are advising all businesses to take action as soon as possible to avoid falling victim to these escalating attacks.  

Ransomware continues to be a growing problem for businesses globally. Despite the takedown of LockBit in 2024, which saw international law enforcement such as the FBI and NCA, working together to tackle the prolific criminal operators, ransomware has continued to grow.  

There is good news, albeit relative. The growth of these cybercriminal gangs has slowed on the whole. In January and February, ransomware attack incidents only grew by 15% and 3% respectively, according to industry reports. But the growth is still a very real threat.  

One particular ransomware group has been identified as being more problematic than the others in terms of growth in the last 6 months. BlackLock was spotted as having grown by a significant 1,425% to February 2025. This actually only ranks them as seventh in the most prolific cybercriminal ecosystem, however, ignoring the speed of growth of this particular bad actor would be unwise.  

Table of Contents

Key Takeaways

  • BlackLock ransomware attacks have surged by 1,425%, making it the fastest growing ransomware threat in early 2025.
  • BlackLock targets Windows, Linux, VMware, and ESXi environments, and is active across multiple industries and geographies.
  • Unique tactics include download-blocking on leak sites, delaying investigations and increasing pressure on victims to pay ransoms.
  • A large cybercriminal network drives early-stage infection using social engineering and malicious traffic to gain initial access.
  • Immediate mitigation advice includes enabling MFA, disabling unnecessary RDP access, and hardening ESXi environments by locking down services and enforcing strict access control.

BlackLock hacker cybersecurity

The BlackLock Ransomware Threat 

BlackLock appears to be designed to target Windows, VMWare, ESXi and Linux environments. It also operates across multiple sectors and geographies. If the current trajectory continues, it’s predicted that BlackLock could quickly become the most active ransomware gang in operation – even within the next 6-9 months.  

There are some characteristics that set BlackLock apart from other ransomware operators and indicate how this gang is acting so successfully to date. The first is that BlackLock protects the data-leak site from victims looking to understand the exfiltrated data, and the scope of the breach. Researchers have discovered that any download attempts are met with no response or simply empty files. This is a technique that security analysts haven’t seen used before.  

This technique appears to be designed to frustrate incident investigators, forcing individual file downloads and delaying research results. This is likely due to the gang wanting to force ransomware payments from targeted companies, with there being little chance of understanding the incident quickly.  

BlackLock also appears to have a large active network of cybercriminals, all being deployed to assist in the early stages of the ransomware attack. This network is engaged to drive malicious traffic and steer victims to harmful content via social engineering tactics, in order to gain the initial access needed to begin the full attack.  

ransomware cybersecurity

How to Mitigate Against BlackLock Ransomware Attacks 

DigitalXRAID’s Security Analysts have offered mitigating advice to prevent falling victim to this highly active gang. You should immediately enable Multi-Factor Authentication (MFA) on all systems. You should also disable Remote Desktop Protocol (RDP) on any unnecessary systems – which is general security best practice for these systems in the fight against ransomware attacks. 

For ESXi environments, it’s urgently recommended that you:  

  • Disable Unnecessary Services: Turn off any unused services such as vMotion, Simple Network Management Protocol (SNMP), and redundant HTTPS interfaces to minimise attack surfaces 
  • Enable Strict Lockdown Mode: By enabling this in your environment, BlackLock’s ability to exploit will be much more complicated. The advice is that you should configure ESXi hosts to allow management only through your vCenter 
  • Restrict Network Access: Implement identity-based firewall rules or strict access control lists in order to block BlackLock from being able to access ESXi hosts and moving laterally across the network 

ransomware on a computer - cybersecurity

While ransomware continues to proliferate, there are fundamental steps that you can take to ensure that you’re protecting your business from these attacks. Alongside technical measures, utilising a zero trust framework and specific environment advice, shared above, it’s always imperative that you train your workforce to spot ransomware attack vectors. Your employees are the first line of defence for your business so ensure that they are forewarned and forearmed in the fight against rising ransomware attacks.  

If the worst happens and you find yourself a victim of a ransomware attack, DigitalXRAID is on hand to help. Call the 24/7 emergency line to speak to one of our security analysts at any time of the night or day. Bookmark the emergency line so you can always get back to it quickly.  

DigitalXRAID are driven to make sure the bad guys don’t win. Get in contact if you would like any advice on your cybersecurity posture and defence methods.  

Previous Article

Understanding MITRE D3FEND

Next Article

Threat-Led Penetration Testing (TLPT)

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.