HQ/EMEAFind out how we can help your business
The Eldorado ransomware is a relatively new ransomware-as-a-service released in March and has a locker variant that can target Windows and VMware ESXi.
Its operators have already claimed 16 victims, most of whom are from the US and work in real estate, education, healthcare, or manufacturing. Researchers observed Eldorado’s behaviour and discovered its operators were marketing the malicious service on RAMP forums and looking for skilled affiliates to join the program.
The ransomware also maintains a data leak site that lists victims, although it was unavailable at the time of publication.
The Eldorado ransomware is a Go-based malware that can encrypt Linux and Windows OS.
Initial investigation revealed that the Eldorado ransomware is a Go-based payload that can encrypt Windows and Linux platforms using two unique variations with several operational similarities.
However, the researchers received an encryptor from the developer, which included a user manual that explains that the 32/64-bit versions are available for VMware ESXi hypervisors and Windows.
According to researchers, this ransomware is a unique development that does not rely on previously available builder sources. The malware encrypts each locked file with the ChaCha20 algorithm, generating a unique 32-byte key and 12-byte nonce.
The keys and nonces are then encrypted with RSA under the Optimal Asymmetric Encryption Padding (OAEP) scheme. After the encryption, the operation will put a “.00000001” extension and ransom notes named “HOW_RETURN_YOUR_DATA.TXT” to the compromised Documents and Desktop folders.
Furthermore, Eldorado encrypts network shares using the SMB communication protocol to increase the severity of its impact and deletes shadow volume copies from compromised Windows workstations to hinder recovery.
This ransomware can also skip DLLs, LNK, SYS, and EXE files and directories associated with system boot and fundamental operations to prevent the system from becoming unbootable/unusable.
Finally, the operation configures by default to self-delete to avoid detection and analysis by researchers.
Researchers who have breached and studied the ransomware operation have stated that affiliates can tailor their attacks to the RaaS. One example of such a tactic is that affiliates can choose which directories they will encrypt, skip local data, target network shares on specified subnets, and prevent the malware from deleting itself. However, customisation settings only allow you to select which directories to encrypt on Linux.
