Ransomware Group: BLACKLOCK

VICTIM NAME: MCM Construction

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the BLACKLOCK Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak targeted MCM Construction, a prominent player in the construction industry based in California, United States. The company specializes in commercial and residential building projects, notably including bridge construction, and has established a reputation for completing over 1,000 critical structures across the western United States. At the time of the attack, MCM Construction employed fewer than 25 staff members and generated annual revenues of approximately $26.1 million. The breach was identified on May 30, 2025, and involved the unauthorized access and potential exfiltration of sensitive company data. The attack was claimed by a group identified as “blacklock,” and evidence indicates the presence of leaked files available for download through an onion link, although specific data types have not been detailed publicly.

The leak page includes a screenshot of compromised data, which suggests that internal documents or technical files may have been compromised. The publicly shared link directs interested parties to a controlled access point on the dark web for data download, hinting at possible data exfiltration related to employee or project information. The attack’s technical specifics, including exact data types or volume, remain undisclosed. Overall, this incident highlights the vulnerabilities in infrastructure-related companies, especially those managing critical public works, and underscores the threat posed by ransomware groups targeting essential service providers. Despite the breach, there is no evidence of personally identifiable information being explicitly exposed in the public leak page, maintaining a focus on the operational and business data potentially affected by the attack.