Source URL: https://www.theregister.com/2025/03/27/security_shop_pwns_ransomware_gang/
Source: The Register
Title: Security shop pwns ransomware gang, passes insider info to authorities
Feedly Summary: Researchers say ‘proactive’ approach is needed to combat global cybercrime
Here’s one you don’t see every day: A cybersecurity vendor is admitting to breaking into a notorious ransomware crew’s infrastructure and gathering data it relayed to national agencies to help victims.…
AI Summary and Description: Yes
Summary: The text discusses a cybersecurity vendor, Resecurity, to admits breaking into the infrastructure of the BlackLock ransomware gang and exploiting vulnerabilities to gather critical data. This operation highlights the ongoing challenges and strategies in the fight against ransomware, particularly concerning operational security (OPSEC) failures within criminal organizations, and the collaboration between private cybersecurity entities and government agencies.
Detailed Description:
The discussion revolves around Resecurity’s proactive approach to combating ransomware threats, primarily focusing on the BlackLock ransomware gang. The following points are significant:
– **Incident Overview**: Resecurity infiltrated the BlackLock ransomware gang, identifying and exploiting a Local File Include (LFI) vulnerability in their TOR-based data leak site.
– **Vulnerability Discovery**: The operation revealed that BlackLock had a misconfiguration that exposed clearnet IP addresses, allowing Resecurity to access server-side data, including critical configuration files and credentials.
– **Data Acquisition**: Key operational intelligence was gathered, including a history of commands and reused passwords by the operators, representing a significant vulnerability in BlackLock’s OPSEC.
– **Collaborative Efforts**: Resecurity successfully alerted various national cybersecurity agencies, including CERT-FR and the Canadian Centre for Cyber Security, about impending data leaks that involved victims in both France and Canada.
– **Gang Characteristics**:
– The BlackLock gang’s operations heavily relied on a clearnet file-sharing platform called Mega, which they used for data exfiltration and backups.
– Attribution efforts pointed to ties with Russian and Chinese cybercrime ecosystems based on linguistic analysis and operational patterns.
– **Connections Among Gangs**: Evidence suggests a connection between BlackLock, El Dorado, and Mamona ransomware groups, with significant overlap in victim lists and operational tactics.
– **DragonForce’s Involvement**: The text also explores the emergence of DragonForce, which allegedly defaced BlackLock’s infrastructure—a possible false flag operation indicating shifts within the ransomware community.
This report serves as a vital insight for security professionals regarding the evolving landscape of ransomware, showcasing the importance of threat intelligence, the need for robust security measures, and the benefits of collaboration between cybersecurity firms and governmental entities to mitigate risks associated with ransomware attacks.