Skip to main content

Operator dossier

blacklock is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 64 public victims claimed by this operator between May 16, 2025 and July 2, 2025. Based on the limited publicly available information, Blacklock is an emerging ransomware group first observed in May 2025, operating with apparent financial motivations targeting organizations across multiple countries and sectors. The group's origin and potential affiliations remain unclear from documented sources, and there is insufficient public reporting to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. With 64 documented victims since their emergence, Blacklock has demonstrated a broad targeting approach across the United States, Canada, Spain, India, and the United Kingdom, with particular focus on technology, construction, manufacturing, and consumer services sectors, though their attack methodology, initial access vectors, and encryption tactics have not been extensively documented by major security research organizations. Due to the group's recent emergence and limited public reporting from established threat intelligence sources, notable campaigns and specific technical details of their operations remain largely undocumented in publicly available security research. As of current reporting, the group appears to remain active given their recent emergence date, though comprehensive analysis of their operational status requires additional documentation from established cybersecurity authorities.

Most-targeted sectors

Most-affected countries

Recent disclosures by blacklock

All 64 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for blacklock

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

blacklock

64 victims indexed · first seen 1 year ago · last activity 1 year ago

64
Victims indexed
#98 of 364 tracked operators
2m
Active period
May 2025 → Jul 2025
10
Countries hit
top US · 24

At a glance

Status
inactive
First seen
1 year ago
Last activity
1 year ago
Primary sector
Not Found · 20 hits

About

Based on the limited publicly available information, Blacklock is an emerging ransomware group first observed in May 2025, operating with apparent financial motivations targeting organizations across multiple countries and sectors. The group's origin and potential affiliations remain unclear from documented sources, and there is insufficient public reporting to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. With 64 documented victims since their emergence, Blacklock has demonstrated a broad targeting approach across the United States, Canada, Spain, India, and the United Kingdom, with particular focus on technology, construction, manufacturing, and consumer services sectors, though their attack methodology, initial access vectors, and encryption tactics have not been extensively documented by major security research organizations. Due to the group's recent emergence and limited public reporting from established threat intelligence sources, notable campaigns and specific technical details of their operations remain largely undocumented in publicly available security research. As of current reporting, the group appears to remain active given their recent emergence date, though comprehensive analysis of their operational status requires additional documentation from established cybersecurity authorities.

Timeline

3 months
2025-05-01T00:00:00+00:00 · 542025-06-01T00:00:00+00:00 · 92025-07-01T00:00:00+00:00 · 1
2025-05-01T00:00:00+00:002025-07-01T00:00:00+00:00

Top countries

🇺🇸 United States
24
🇨🇦 Canada
3
🇪🇸 Spain
3
🇮🇳 India
2
🇬🇧 United Kingdom
2
🇦🇷 Argentina
1
🇧🇷 Brazil
1
Aruba
1

Top sectors

Technology
8
Construction
6
Manufacturing
5
Consumer Services
5
Business Services
4
Transportation/Logistics
4
Financial Services
3
Energy
2

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time blacklock posts a victim.

Add blacklock to your watchlist — Pro pings you within 5 minutes of any new blacklock leak-site post, Telegram callout, or affiliate-rebrand inference.