In the current cyber landscape, a new ransomware as a service (RaaS) called Eldorado has emerged, wreaking havoc across various industries. Since its appearance, Eldorado has impacted 16 victims, primarily in the United States, spanning sectors such as real estate, education, healthcare, and manufacturing.
Characteristics of the Ransomware Eldorado
Researchers from the cybersecurity company Group-IB have been monitoring Eldorado’s activity. According to their reports, Eldorado operators have been promoting this malicious service in forums such as RAMP, seeking skilled affiliates to join the program.
Eldorado, based on the Go programming language, has the capability to encrypt both Windows and Linux platforms through two distinct but operationally similar variants. Researchers have obtained a crypter from the developer, which includes a user manual indicating that 32/64-bit variants are available for VMware ESXi and Windows hypervisors.
The ransomware uses the ChaCha20 encryption algorithm, generating a unique 32-byte key and a 12-byte nonce for each encrypted file. These keys and nonces are subsequently encrypted using RSA with optimal asymmetric encryption padding (OAEP) scheme.
Modus Operandi of the Ransomware
After encrypting files, Eldorado adds the extension “.00000001” to them and leaves ransom notes titled “HOW_RETURN_YOUR_DATA.TXT” in the Documents and Desktop folders. Additionally, it encrypts network shares using the SMB communication protocol and deletes volume snapshots on compromised Windows machines to hinder data recovery.
The malware is designed to skip certain critical system files (DLL, LNK, SYS, and EXE) to prevent system incapacitation. By default, Eldorado self-destructs to evade detection and analysis by response teams.
Flexibility and Customization
One of Eldorado’s highlighted features is the affiliates’ ability to customize their attacks. In Windows systems, they can specify which directories to encrypt, omit certain local files, target network shares in specific subnets, and avoid malware self-deletion. In Linux systems, customization parameters are limited to configuring directories to encrypt.
Defense Recommendations
Group-IB emphasizes that Eldorado is a new and independent threat, not a rebranding of another known ransomware group. Despite being relatively new, Eldorado has demonstrated its ability to inflict significant damage on data, reputation, and business continuity of its victims in a short period.
To protect against Eldorado and other ransomware attacks, Group-IB recommends:
Implementing multi-factor authentication (MFA) and credential-based access solutions.
Using Endpoint Detection and Response (EDR) tools to quickly identify and respond to ransomware indicators.
Regularly backing up data to minimize damage and information loss.
Prioritizing and regularly applying security patches to fix vulnerabilities.
Training employees in identifying and reporting cybersecurity threats.
Conducting annual technical audits or security assessments and maintaining proper digital hygiene.
Refraining from paying ransoms, as this rarely guarantees data recovery and may incentivize further attacks.
Eldorado represents a significant evolution in ransomware tactics, underscoring the need for organizations to maintain robust and up-to-date cybersecurity measures to protect against emerging threats.
Source: Bleeping computer