Security researchers have recently unveiled crucial information regarding the latest version of Ransomware-as-a-Service (RaaS) known as Eldorado. This sophisticated malware has been designed to target both Windows and Linux operating systems, utilizing the programming language Golang to facilitate its cross-platform attacks.
Ngoc Bui, a cybersecurity expert at Menlo Security, highlighted the significance of Eldorado’s ability to infect multiple operating systems. Bui pointed out that the combination of encryption methods and the creation of ransomware from scratch is particularly noteworthy, suggesting the presence of skilled ransomware coders within the group behind Eldorado.
An advisory released by Group-IB shed light on the advanced encryption techniques employed by Eldorado, including Chacha20 for file encryption and RSA-OAEP for key encryption. This enables the malware to efficiently encrypt files across shared networks using the Server Message Block (SMB) protocol. Additionally, Eldorado showcases sophisticated capabilities for lateral movement, specifically through USB drive checks as explained by Jason Soroko, senior vice president of product at Sectigo.
The malware’s ability to detect and infect removable media allows it to spread to other systems when the infected USB drive is connected elsewhere. By scanning for connected USB drives and automatically copying itself onto them using obfuscation techniques, Eldorado can evade detection by security software.
Furthermore, Group-IB’s investigation into Eldorado unveiled an operational model where cyber-criminals recruit affiliates through underground forums like RAMP. These affiliates are sought for their technical expertise to join the illicit activities of the cyber-criminal group. The developers of Eldorado offer a range of customizable features, enabling affiliates to tailor attacks to specific target networks or organizations.
Eldorado has already victimized numerous companies, with data from its leak site indicating 16 confirmed cases as of June 2024, predominantly in the US but also impacting industries worldwide, such as real estate, healthcare, and education. This discovery comes amidst a trend identified by Group-IB, showing a significant increase in advertisements for RaaS programs on dark web forums.
Callie Guenther, senior manager of cyber threat research at Critical Start, emphasized the importance of implementing various security measures in light of the growing sophistication and reach of cyber-criminal enterprises. Guenther highlighted the significance of multi-factor authentication, endpoint detection and response solutions, regular data backups, timely patching, and continuous employee training to enhance defense against ransomware attacks.
In conclusion, the emergence of Eldorado highlights the evolving landscape of cyber threats and the need for organizations to bolster their cybersecurity defenses against sophisticated malware like Ransomware-as-a-Service. The collaboration between security researchers, industry experts, and organizations is essential in combating the increasing prevalence of ransomware attacks and safeguarding sensitive data and networks from cyber-criminal activities.