Eldorado (Ransomware) – Malware

Overview

In the ever-evolving landscape of cybercrime, ransomware continues to emerge as one of the most formidable threats to businesses and individuals alike. Among the latest entrants into this alarming arena is Eldorado Ransomware, a sophisticated malware that operates under the Ransomware-as-a-Service (RaaS) model. This innovative approach allows cybercriminals to recruit affiliates to carry out attacks, significantly amplifying the reach and impact of ransomware campaigns. The emergence of Eldorado Ransomware not only underscores the persistent nature of cyber threats but also highlights the evolving tactics employed by cybercriminals to target organizations globally. Launched in March 2024 on the dark web forum “RAMP,” Eldorado Ransomware quickly garnered attention for its unique affiliate program that encourages participants to craft and distribute tailored ransomware samples. The program seeks skilled penetration testers, enabling a new breed of cybercriminals to engage in ransomware attacks without requiring deep technical expertise. This shift in recruitment strategy from individual hackers to a more structured affiliate model mirrors the operations of legitimate enterprises, making ransomware campaigns more efficient and widespread. The advertising of Eldorado Ransomware on popular dark web platforms signifies a troubling trend, where the barriers to entry in the world of cybercrime are continually lowered, allowing for greater participation and an increase in attacks. Eldorado Ransomware is notable not only for its innovative recruitment strategy but also for its technical sophistication. Built using the versatile Go programming language, it is capable of executing attacks on both Windows and Linux systems. The malware employs advanced encryption techniques, utilizing ChaCha20 for file encryption and RSA-OAEP for key encryption, which poses a significant challenge for victims attempting to recover their data. Moreover, Eldorado’s capability to encrypt files over shared networks using the Server Message Block (SMB) protocol makes it particularly dangerous, allowing for widespread infiltration of targeted systems. As the cybercrime landscape continues to evolve, the emergence of Eldorado Ransomware represents a new chapter in the ongoing battle against ransomware, necessitating heightened awareness and robust defensive measures from organizations worldwide.

Targets

• Public Administration
• Health Care and Social Assistance
• Manufacturing
• Information
• Educational Services

How they operate

Initial Access

Eldorado Ransomware typically gains initial access through phishing campaigns or exploiting valid credentials. Cybercriminals employ social engineering tactics, often crafting legitimate-looking emails that contain malicious attachments or links. Once a victim interacts with these emails, the ransomware may execute a malicious payload. Additionally, the RaaS model allows affiliates to customize attacks based on specific targets, using reconnaissance techniques to identify vulnerabilities in their network defenses.

Execution and Payload Delivery

Upon successful infiltration, Eldorado uses various methods to deliver its payload. The ransomware employs a loader, a small executable that prepares the system for the main ransomware module. Written in Go (Golang), Eldorado’s architecture is designed for cross-platform compatibility, allowing it to target both Windows and Linux systems. The loader sets the stage for the main ransomware by establishing a foothold in the victim’s environment, often disabling security mechanisms to evade detection.

Data Encryption

Eldorado Ransomware utilizes robust encryption methods to render victim data inaccessible. It employs the ChaCha20 encryption algorithm, known for its speed and security, to encrypt files on the infected system. For key encryption, it relies on the Rivest-Shamir-Adleman Optimal Asymmetric Encryption Padding (RSA-OAEP) technique, ensuring that only the attackers can decrypt the data once the ransom is paid. The ransomware can also target shared networks using the Server Message Block (SMB) protocol, broadening its reach across organizational networks and amplifying the impact of the attack.

Customization and Configuration

One of the defining features of Eldorado Ransomware is its configurability. Affiliates can customize critical parameters during the build process, such as specifying target network names, ransom notes, and admin credentials. This flexibility allows different cybercriminals to tailor their attacks based on the unique characteristics of their victims, making the ransomware particularly dangerous. The use of a builder tool, which requests specific parameters like the domain administrator’s password or NTLM hash, further simplifies the process for less experienced attackers.

Exfiltration and Ransom Demand

Before encrypting data, Eldorado may exfiltrate sensitive information, such as files or credentials, to leverage additional pressure on victims. This preemptive data theft not only threatens to expose sensitive information but also increases the likelihood of payment as organizations fear reputational damage. Once the encryption process is complete, the ransomware generates a ransom note, outlining the payment demands and the consequences of non-payment, typically delivered through a separate communication channel to avoid immediate detection.

Conclusion

Eldorado Ransomware exemplifies the evolving tactics and technologies in the realm of cybercrime. Its sophisticated methods for infiltration, execution, data encryption, and exfiltration highlight the need for organizations to bolster their cybersecurity measures. As ransomware continues to evolve, understanding its operational mechanics is essential for developing effective defenses against these insidious attacks. Organizations must prioritize security awareness, deploy robust security solutions, and engage in regular vulnerability assessments to mitigate the risks posed by ransomware like Eldorado.

MITRE Tactics and Techniques

Initial Access (T1078): Exploiting valid accounts to gain initial access to the network. Execution (T1203): Utilizing user interaction to execute malicious code, often through phishing or social engineering. Persistence (T1547): Implementing methods to maintain access, such as modifying registry settings or creating scheduled tasks. Privilege Escalation (T1068): Exploiting vulnerabilities to gain higher-level permissions within the system. Defense Evasion (T1070): Techniques to hide malicious activity, such as clearing logs or using obfuscation. Credential Access (T1003): Harvesting credentials to access other systems or services. Discovery (T1083): Enumerating file shares or network resources to identify targets for encryption. Lateral Movement (T1021): Using protocols like SMB to move laterally within the network. Exfiltration (T1041): Transferring files or data out of the network, often prior to encryption. Impact (T1486): Encrypting files to render them inaccessible to the user, demanding a ransom for decryption.

References:

• Eldorado Ransomware: The New Golden Empire of Cybercrime?