Operator dossier

blacklock is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 64 public victims claimed by this operator between May 16, 2025 and July 2, 2025. Based on the limited publicly available information, Blacklock is an emerging ransomware group first observed in May 2025, operating with apparent financial motivations targeting organizations across multiple countries and sectors. The group's origin and potential affiliations remain unclear from documented sources, and there is insufficient public reporting to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. With 64 documented victims since their emergence, Blacklock has demonstrated a broad targeting approach across the United States, Canada, Spain, India, and the United Kingdom, with particular focus on technology, construction, manufacturing, and consumer services sectors, though their attack methodology, initial access vectors, and encryption tactics have not been extensively documented by major security research organizations. Due to the group's recent emergence and limited public reporting from established threat intelligence sources, notable campaigns and specific technical details of their operations remain largely undocumented in publicly available security research. As of current reporting, the group appears to remain active given their recent emergence date, though comprehensive analysis of their operational status requires additional documentation from established cybersecurity authorities.

Most-targeted sectors

Not Found20 victims
Technology8 victims
Construction6 victims
Manufacturing5 victims
Consumer Services5 victims
Business Services4 victims

Most-affected countries

US24 victims
CA3 victims
ES3 victims
IN2 victims
GB

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

blacklock

64 victims indexed · first seen 1 year ago · last activity 11 months ago

Victims indexed

#93 of 348 tracked operators

Active period

May 2025 → Jul 2025

Countries hit

top US · 24

At a glance

Status: inactive
First seen: 1 year ago
Last activity: 11 months ago
Primary sector: Not Found · 20 hits

About

Based on the limited publicly available information, Blacklock is an emerging ransomware group first observed in May 2025, operating with apparent financial motivations targeting organizations across multiple countries and sectors. The group's origin and potential affiliations remain unclear from documented sources, and there is insufficient public reporting to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. With 64 documented victims since their emergence, Blacklock has demonstrated a broad targeting approach across the United States, Canada, Spain, India, and the United Kingdom, with particular focus on technology, construction, manufacturing, and consumer services sectors, though their attack methodology, initial access vectors, and encryption tactics have not been extensively documented by major security research organizations. Due to the group's recent emergence and limited public reporting from established threat intelligence sources, notable campaigns and specific technical details of their operations remain largely undocumented in publicly available security research. As of current reporting, the group appears to remain active given their recent emergence date, though comprehensive analysis of their operational status requires additional documentation from established cybersecurity authorities.

Timeline

3 months

2025-05-01T00:00:00+00:002025-07-01T00:00:00+00:00

Top countries

🇺🇸 US

🇨🇦 CA

🇪🇸 ES

🇮🇳 IN

🇬🇧 GB

🇦🇷 AR

🇧🇷 BR

🇦🇼 AW

US dossier →CA dossier →ES dossier →IN dossier →

Top sectors

Not Found

Technology

Construction

Manufacturing

Consumer Services

Business Services

Transportation/Logistics

Financial Services

Not Found dossier →Technology dossier →Construction dossier →Manufacturing dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 11 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.