A new ransomware-as-a-service (RaaS) operation, Eldorado, is targeting Windows and Linux systems with sophisticated encryption methods. It has already affected multiple industries across the U.S., Italy, and Croatia since its appearance in March 2024.
Eldorado, a new ransomware-as-a-service (RaaS) operation, has emerged with locker variants for encrypting files on Windows and Linux systems. The malware, first appearing on RAMP in March 2024, uses Golang for cross-platform capabilities and employs Chacha20 for file encryption and RSA-OAEP for key encryption. It can encrypt files on shared networks using the Server Message Block (SMB) protocol.
Eldorado is the latest in a list of new double-extortion ransomware players, including Arcus Media, AzzaSec, Dan0n, Limpopo, LukaLocker, Shinra, and Space Bears. The malware is known to be propagated by brute-forcing Microsoft SQL servers and phishing emails to target Windows systems.
In March 2024, Avast released a decryptor for DoNex and related strains by exploiting a cryptographic flaw, aiding victims in collaboration with law enforcement. Data shared by Malwarebytes and NCC Group shows that 470 ransomware attacks were recorded in May 2024, with the majority of attacks claimed by LockBit, Play, Medusa, Akira, 8Base, Qilin, and RansomHub.
Eldorado's encryptor is available in four formats: esxi, esxi_64, win, and win_64, ensuring a wide range of system compatibility. As of June 2024, its data leak site has already listed 16 victims, the majority of whom are located in the United States. Additional victims have been reported in Italy and Croatia. These victims come from a diverse array of industry sectors, including real estate, education, healthcare, professional services, and manufacturing, showcasing the ransomware's broad targeting strategy. Further analysis of the Windows version of the malware has revealed the use of PowerShell commands designed to overwrite the locker with random bytes before deleting the file, effectively attempting to clean up and remove any traces of the ransomware from the infected systems.
See also: HIPAA Compliant Email: The Definitive Guide
“The ransomware builder asked for the domain administrator’s password or NTLM (Windows New Technology LAN Manager) hash and other parameters to generate ransomware samples,” said Nikolay Kichatov and Sharmine Low on the Group-IB blog.
Group-IB reports that The Eldorado has two iterations of malware - one for Windows and another for Linux. To ensure cross-platform functionality, “The Eldorado ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption.”
"It can encrypt files on shared networks using Server Message Block (SMB) protocol," they said.
Tejaswini Sandapolla and Shilpesh Trivedi, Uptycs researchers, stated that the perpetrators are employing personalized Python scripts to transport payloads while retrieving information from their targets. Moreover, they added that the malicious software encrypts user data and then attaches an extension to all encoded files.
Group-IB also stated how ransomware groups continue to persist, despite the efforts of law enforcement and heightened security measures. "The ongoing development of new ransomware strains and the emergence of sophisticated affiliate programs demonstrate that the threat is far from being contained," Group-IB said. "Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate the risks posed by these ever-evolving threats."
Ransomware-as-a-service (RaaS) is a business model employed by cybercriminals where ransomware creators sell or lease their malware to affiliates. These affiliates then carry out attacks, encrypting victims' data and demanding a ransom for its release. The RaaS model lowers the barrier to entry for cybercrime, as affiliates do not need advanced technical skills to deploy the ransomware. In return, the ransomware creators receive a percentage of the ransom payments. This model has led to the proliferation of ransomware attacks, making them more frequent and sophisticated.
The emergence of the Eldorado ransomware-as-a-service (RaaS) operation demonstrates how cyber threats are becoming more sophisticated and accessible. Eldorado's ability to target both Windows and Linux systems and its broad victim profile across various sectors indicate that no organization is immune. The fact that Eldorado uses sophisticated encryption methods and cross-platform capabilities shows the advanced tactics cybercriminals are employing, requiring equally advanced defensive measures from the victims and potential victims.
See also:
Organizations should implement comprehensive cybersecurity strategies, including regular data backups, employee training on cybersecurity best practices, up-to-date antivirus software, and incident response plans. Additionally, they should monitor for unusual network activity and maintain a proactive stance against emerging threats.
See also: What is ransomware and how to protect against it
Victims of Eldorado ransomware will notice that their files have been encrypted and may have their file extensions changed. They will also typically receive a ransom note demanding payment for the decryption key. Additionally, the use of PowerShell commands to overwrite and delete locker traces may leave some evidence in system logs.
Forums like RAMP facilitate the proliferation of RaaS operations by providing a platform for ransomware creators and affiliates to connect. These forums offer advertisements, support, and collaboration opportunities, making it easier for cybercriminals to launch and sustain ransomware campaigns.