The newly discovered Eldorado ransomware-as-a-service (RaaS), active since March, targets both VMware ESXi and Windows systems. This ransomware has impacted 16 victims, primarily in the U.S. across various sectors including real estate, education, healthcare, and manufacturing. Eldorado’s operators are actively recruiting affiliates and promoting their service on cybercriminal forums, with a data leak site currently down.
Eldorado, written in Go, encrypts files on both Windows and Linux platforms. It uses the ChaCha20 algorithm for file encryption, applying a unique 32-byte key and 12-byte nonce for each file, and encrypts these using RSA with Optimal Asymmetric Encryption Padding (OAEP). Encrypted files receive a “.00000001” extension, and ransom notes are placed in the Documents and Desktop folders. The ransomware also encrypts network shares via SMB and deletes shadow volume copies on Windows systems to hinder recovery efforts.
Affiliates of Eldorado can customize their attacks by specifying which directories to encrypt or skip and targeting network shares on certain subnets. However, Linux variants only allow customization of encryption directories. The malware is set to self-delete by default to evade detection and analysis, and it avoids encrypting system files and directories critical to booting.
To defend against Eldorado and similar ransomware, Group-IB recommends implementing multi-factor authentication (MFA), using Endpoint Detection and Response (EDR) systems, regularly backing up data, and applying security patches. Additionally, employing AI-based intrusion detection, training employees to recognize threats, and avoiding ransom payments can help mitigate risks and protect against such ransomware attacks.
