BlackLock Ransomware Targets Windows, Linux, and VMware ESXi

A new ransomware operation known as BlackLock (formerly El Dorado) has surfaced as a cross-platform threat capable of targeting Windows, Linux, and VMware ESXi systems simultaneously. Emerging in late 2024, BlackLock has quickly gained traction within the cybercrime ecosystem, operating under a Ransomware-as-a-Service (RaaS) model and recruiting affiliates via Russian-speaking forums like RAMP.

Technical Details & Impact

Developed in Go, BlackLock leverages advanced encryption mechanisms (ChaCha20 + ECDH key exchange) to ensure each file has a unique encryption key — making independent recovery virtually impossible.
It also supports network propagation using the go-smb2 library to spread across SMB shares, and employs stealthy data destruction techniques that bypass traditional detection.
Victims find ransom notes titled HOW_RETURN_YOUR_DATA.TXT, threatening data leaks and operational disruption if payments are not made.

This cross-platform flexibility and obfuscation strategy significantly expand the attack surface, posing a critical risk to enterprise IT environments and virtualized infrastructures.

Recommended Mitigation

Organizations should take immediate action to reduce exposure:
•     Update and patch all operating systems, VMware ESXi, and SMB-related services.
•     Segment networks to limit lateral movement.
•     Disable unused SMB shares and enforce strong password + NTLM hash protection.
•     Maintain offline backups and validate recovery procedures regularly.
•     Implement EDR/XDR monitoring capable of detecting in-memory execution and WMI abuse.

SOC teams should monitor for Go-based ransomware indicators and suspicious SMB activity. Staying proactive and informed is key to defending against evolving threats like BlackLock.