A new ransomware threat called Eldorado has been making waves in the cybersecurity world, targeting Windows and VMware ESXi environments since March. This Go-based ransomware as a service (RaaS) has been primarily focused on sectors like education, real estate, and healthcare in the US.
According to a report from Group-IB, Eldorado was first spotted on the RAMP forum, offering versions for both Windows and Linux while actively recruiting skilled partners through its affiliate program. The report highlighted that this ransomware allows affiliates to customize their attacks by specifying encryption directories and targeting network shares on Windows machines.
One interesting aspect of Eldorado is its utilization of Go programs to cross-compile code into native, self-contained binaries. Group-IB researchers noted that the ransomware encrypts files using Chacha20 and RSA-OAEP encryption, and can also target shared networks using the SMB protocol.
Additionally, Eldorado employs various evasion tactics to prevent detection and hinder recovery efforts. It deletes shadow volume copies, avoids critical system files to maintain system functionality, and is programmed to self-delete to evade detection.
Sectigo’s senior vice president of product, Jason Soroko, highlighted Eldorado’s evasive tactics, describing its use of “living off the land” techniques. This strategy involves leveraging native and legitimate tools available on infected systems, such as Windows WMI and PowerShell, to move laterally or encrypt resources. Soroko also mentioned the malware’s configurability in Windows, allowing it to spare critical files necessary for normal system operation.
While the primary motive behind Eldorado’s attacks seems to be financial gain, the potential impact on business continuity cannot be overlooked. Callie Guenther, senior manager of cyber threat research at Critical Start, pointed out that Eldorado’s ability to shut down and encrypt virtual machines before targeting files could severely disrupt operations.
Ngoc Bui, cybersecurity expert at Menlo Security, emphasized the threat actor’s versatility in targeting multiple operating systems and highlighted the sophistication of the ransomware’s encryption methods. Bui suggested that the group behind Eldorado may have skilled ransomware coders in their ranks, indicating a potentially well-resourced and organized operation.
As the cybersecurity landscape continues to evolve, organizations are advised to stay vigilant and proactive in their defense measures. Monitoring threat intelligence, sharing actionable intelligence within the organization, applying patches, implementing stronger authentication practices, and actively monitoring for signs of malware are crucial steps in mitigating the risks posed by threats like Eldorado.
With its ability to target both Windows and VMware ESXi environments, Eldorado poses a significant threat to organizations across various sectors. By staying informed and implementing robust security measures, businesses can better defend against evolving ransomware threats like Eldorado.