Recently, the landscape of ransomware attacks has taken a sharp turn towards a more sophisticated and enterprise-like model known as Ransomware-as-a-service (RaaS). This evolution has been quite evident in the period from 2022 to 2023, with a significant increase in the number of ransomware programs being advertised on the dark web. In fact, there was a staggering rise of 50% in the number of ransomware ads identified, with a total of 27 ads surfacing during this time frame.
One of the key platforms facilitating the hiring of ransomware attackers is the RAMP forum, which has emerged as a central hub for the recruitment of threat actors specializing in deploying ransomware. This shift in the landscape has been further accentuated by the surge in attacks published on specific leak sites, which experienced a significant increase of 74%, reaching a total of 4,583 attacks in 2023. This points towards an evolving and structured ecosystem of threat actors honing their skills in executing ransomware attacks.
One notable development in the realm of ransomware is the emergence of a new affiliate program called Eldorado Ransomware-as-a-service in March 2024. This program, developed by Russian-speaking actors, utilizes custom-built malware designed for Windows and Linux systems. The use of advanced encryption techniques such as Golang, Chacha20, and RSA-OAEP underscores the sophistication of this ransomware variant.
By June 2024, the Eldorado ransomware had already targeted 16 companies, with a focus on organizations in the US, particularly within the Real Estate sector. The group leverages a dark web chat platform and a leak site for their operations, showcasing a high level of organization and coordination in their attacks.
Notably, Eldorado ransomware is written in Golang, a programming language capable of running on multiple operating systems, making it a cross-platform threat that can infect both Microsoft and Linux users. It employs unique tactics such as adding “.00000001” to encrypted file names and using personalized ransom notes to intimidate victims.
The ransomware payload includes command line parameters, compressed configuration files, and logging capabilities, enabling it to encrypt shared network files using the SMB protocol. While the Windows version of Eldorado utilizes Chacha20 for file encryption and RSA-OAEP for key encryption, the Linux version follows a simpler approach of encrypting specified directories recursively.
The self-destruct mechanism employed by Eldorado involves overwriting encrypted files with random bytes and deleting itself post-encryption to evade detection. Additionally, it eradicates Windows shadow volume copies to prevent recovery attempts. This intricate level of functionality demonstrates the evolving sophistication of ransomware attacks.
In light of these developments, organizations are urged to stay vigilant and adopt a proactive cybersecurity approach to defend against the growing ransomware threat. Implementing measures such as multi-factor authentication, endpoint detection and response, regular data backups, and advanced malware detection solutions can bolster defenses against ransomware attacks.
As threat actors continue to refine their tactics and develop new strains of malware, organizations must remain agile in adapting their cybersecurity strategies to mitigate the risks posed by ransomware. The evolving landscape of ransomware underscores the need for a comprehensive and dynamic approach to cybersecurity to safeguard sensitive data and infrastructure from malicious actors.