In March, a new ransomware-as-a-service (RaaS) operation named Eldorado emerged, targeting both Windows and VMware ESXi virtual machines. Since its debut, Eldorado has claimed 16 victims across various sectors, including real estate, education, healthcare, and manufacturing, primarily in the U.S.
Researchers from Group-IB have been closely monitoring Eldorado’s activities. The operators of Eldorado have been promoting their malicious service on RAMP forums and actively seeking skilled affiliates to expand their reach. Additionally, Eldorado runs a data leak site listing its victims, though this site was not accessible at the time of the report.
Technical Details
Eldorado ransomware is written in Go and is capable of encrypting files on both Windows and Linux platforms through its distinct variants. The ransomware features extensive operational similarities between the two variants.
The developers provided an encryptor to the researchers, complete with a user manual. This manual outlines the availability of 32-bit and 64-bit variants for VMware ESXi hypervisors and Windows operating systems. Group-IB notes that Eldorado is a unique development, not relying on any previously published builder sources.
Encryption Mechanism
Eldorado uses the ChaCha20 algorithm for encryption, generating a unique 32-byte key and 12-byte nonce for each locked file. These keys and nonces are then encrypted using RSA with Optimal Asymmetric Encryption Padding (OAEP). After encryption, files are given the “.00000001” extension, and ransom notes titled “HOW_RETURN_YOUR_DATA.TXT” are placed in the Documents and Desktop folders.
The ransomware extends its impact by encrypting network shares via the SMB protocol and deletes shadow volume copies on compromised Windows machines to prevent data recovery. To ensure the system remains operational, Eldorado skips over DLL, LNK, SYS, and EXE files, as well as essential system directories. Additionally, it is designed to self-delete by default to evade detection and analysis.
Customisation and Impact
Group-IB’s infiltration into the Eldorado operation revealed that affiliates can customise their attacks. On Windows, attackers can specify directories to encrypt, skip local files, target network shares on specific subnets, and even prevent the malware from self-deleting. On Linux, customisation is limited to setting directories for encryption.
Defence Recommendations
Group-IB emphasises that Eldorado represents a new, standalone ransomware threat, not a rebranding of an existing group. To mitigate the risks posed by ransomware like Eldorado, they recommend the following defences:
• Implement Multi-Factor Authentication (MFA): Use credential-based access solutions to enhance security.
• Use Endpoint Detection and Response (EDR): Quickly identify and respond to ransomware indicators.
• Regular Data Backups: Take backups regularly to minimise damage and data loss.
• AI-Based Analytics and Advanced Malware Detonation: Employ these tools for real-time intrusion detection and response.
• Regular Security Patching: Prioritise and periodically apply patches to fix vulnerabilities.
• Employee Training: Educate and train employees to recognise and report cyber security threats.
• Annual Technical Audits: Conduct regular security assessments and maintain digital hygiene.
• Avoid Paying Ransom: Paying ransom rarely ensures data recovery and can lead to further attacks.
By following these recommendations, organisations can bolster their defences against the evolving threat of ransomware.
