A new ransomware-as-a-service (RaaS) operation, named Eldorado, has emerged as a significant threat since its debut in March. This sophisticated malware has already impacted various sectors, including real estate, education, healthcare, and manufacturing, with a total of 16 victims reported, most of whom are located in the United States.
The ransomware targets both Windows and VMware ESXi virtual machines, making it a versatile and dangerous tool for cybercriminals.
Researchers from cybersecurity firm Group-IB have been closely monitoring Eldorado’s activities. They observed the ransomware operators actively promoting their malicious service on RAMP forums, seeking skilled affiliates to join their program.
Despite their efforts to spread the malware, Eldorado’s data leak site was down at the time of this writing, indicating potential disruptions in their operations.
Encrypting Windows and Linux
Eldorado is a Go-based ransomware capable of encrypting both Windows and Linux platforms through two distinct variants, which share extensive operational similarities.
Researchers obtained an encryptor from the developer, which came with a user manual detailing the availability of 32/64-bit variants for VMware ESXi hypervisors and Windows systems.
Unlike many other ransomware strains, Eldorado is a unique development that does not rely on previously published builder sources. It uses the ChaCha20 algorithm for encryption, generating a unique 32-byte key and a 12-byte nonce for each locked file.
These keys and nonces are then encrypted using RSA with the Optimal Asymmetric Encryption Padding (OAEP) scheme.
Once the encryption process is complete, affected files receive the “.00000001” extension. Ransom notes named “HOW_RETURN_YOUR_DATA.TXT” are placed in the Documents and Desktop folders, instructing victims on how to regain access to their data.
Eldorado also encrypts network shares using the SMB communication protocol to maximize its impact and deletes shadow volume copies on compromised Windows machines to prevent recovery.
Interestingly, the ransomware is programmed to skip DLLs, LNK, SYS, and EXE files, as well as files and directories essential for system boot and basic functionality. This strategy ensures that the system remains operational, making it easier for victims to follow the ransom instructions.
To evade detection and analysis by response teams, Eldorado is set by default to self-delete after completing its task.
Group-IB researchers infiltrated the operation and discovered that affiliates could customize their attacks. On Windows, they can specify directories to encrypt, exclude local files, target network shares on specific subnets, and prevent the self-deletion of the malware. On Linux, customization options are limited to setting the directories for encryption.
Defense Recommendations
Group-IB emphasizes that Eldorado represents a new, standalone threat that has not emerged as a rebrand of an existing group. Despite its recent appearance, Eldorado has quickly demonstrated its ability to cause significant damage to victims’ data, reputation, and business continuity.
The following defense strategies can help protect against Eldorado and similar ransomware attacks:
- Implement multi-factor authentication (MFA) and credential-based access solutions.
- Use Endpoint Detection and Response (EDR) tools to quickly identify and respond to ransomware indicators.
- Regularly back up data to minimize damage and data loss.
- Utilize AI-based analytics and advanced malware detonation for real-time intrusion detection and response.
- Prioritize and periodically apply security patches to fix vulnerabilities.
- Educate and train employees to recognize and report cybersecurity threats.
- Conduct annual technical audits or security assessments and maintain digital hygiene.
- Refrain from paying ransom, as it rarely ensures data recovery and can lead to further attacks.
By adhering to these recommendations, organizations can bolster their defenses against the growing threat of ransomware and reduce the risk of becoming victims of Eldorado and other similar malicious actors.