Table of Contents
Arun KL
February 28, 2025
|
8m

Eldorado Ransomware

Threats

An illuminated digital padlock with circuit-like patterns representing cybersecurity and data protection.

Ransomware remains a persistent and evolving threat to organizations worldwide. A new player, Eldorado ransomware, has emerged as a significant concern, operating under the Ransomware-as-a-Service (RaaS) model and demonstrating cross-platform capabilities by targeting both Windows and Linux systems. This article delves into the origins, tactics, targets, and defenses against Eldorado, providing security professionals with crucial information to combat this emerging threat. The rapid development and adoption of Eldorado highlight the continued profitability and appeal of the RaaS model, emphasizing the need for vigilance and proactive security measures. Security teams should understand the key differences between SOAR vs SIEM vs XDR.

Origins & Evolution

Eldorado ransomware was first discovered in March 2024, advertised on the RAMP underground forum, a known hub for ransomware-related activities. The advertisement promoted its affiliate program, highlighting the availability of a ransomware builder, locker, and loader, indicating a fully operational RaaS infrastructure. Group-IB researchers were among the first to identify and analyze this new threat. Unlike some ransomware variants that are rebrands or rely on leaked source code from older families (like LockBit 3.0 or Babuk), Eldorado appears to be a newly developed strain. This is significant because it demonstrates ongoing innovation and investment in the ransomware ecosystem, even amidst increased law enforcement pressure on established groups like BlackCat and Ragnar Locker. The use of the Go programming language further distinguishes Eldorado, facilitating cross-platform targeting and potentially complicating analysis and detection. The representative of the group is Russian-speaking. As a security professional, it is important to understand CVSS.

Tactics & Techniques

Eldorado's operational methodology aligns with the typical RaaS model, but with some notable features. The core of the attack involves encrypting files on compromised systems and demanding a ransom for decryption. However, Eldorado's approach contains several key tactical and technical elements:

  • Ransomware Builder: A central feature of the Eldorado RaaS is its customizable builder. Affiliates can configure various parameters, tailoring their attacks to specific targets or environments. This includes customizing the ransom note, specifying target networks or company names, and potentially incorporating specific administrator credentials for enhanced privilege escalation.

  • Cross-Platform Targeting: The use of Go allows Eldorado to target both Windows and Linux systems, significantly expanding its potential attack surface. The encryptor is available in four formats: esxi, esxi_64, win, and win_64, explicitly targeting VMware ESXi hypervisors, a common target for enterprise ransomware attacks. Understanding the basics of Linux is key.

  • Encryption Scheme: Eldorado employs a robust encryption scheme:

* ChaCha20: Used for the symmetric encryption of files. ChaCha20 is a modern, fast, and secure stream cipher. Know the difference between symmetric and asymmetric encryption.

* RSA-OAEP: Used for asymmetric encryption of the ChaCha20 key and nonce. For each file, a 32-byte key and 12-byte nonce are generated. These are then encrypted with RSA-OAEP, using the public key embedded in the ransomware configuration. The encrypted key and nonce are appended to the end of each encrypted file.

  • File Extension: Encrypted files receive the extension ".00000001", providing a clear indicator of compromise.

  • Ransom Note: A ransom note is dropped in the victim's Documents and Desktop folders, providing contact instructions (likely through a Tor-based communication channel or email). Learn how does the Tor network work.

  • Network Share Encryption: Eldorado is capable of encrypting files on shared networks via the Server Message Block (SMB) protocol. This allows the ransomware to spread laterally within a network, maximizing its impact.

  • Obfuscation (Windows): The Windows version of Eldorado attempts to cover its tracks by using PowerShell to overwrite the ransomware executable with random bytes before deleting it.

  • Double Extortion: Eldorado uses a double-extortion approach. The operators of the RaaS maintain a website listing all the victims.

The combination of a customizable builder, cross-platform capabilities, and strong encryption makes Eldorado a potent threat, capable of adapting to different environments and maximizing damage.

Targets or Victimology

As of June 2024, Eldorado ransomware has reportedly targeted at least 16 companies. A significant majority (13) of these victims are located in the United States, indicating a current focus on this region. However, victims have also been identified in Italy (2) and Croatia (1), suggesting a potential for broader geographical targeting in the future.

The targeted industries are diverse, including:

  • Real Estate

  • Education

  • Professional Services

  • Healthcare

  • Manufacturing

This broad victimology suggests that Eldorado affiliates are not currently focused on a specific sector but rather on organizations that may be vulnerable and have the capacity to pay a ransom. The inclusion of healthcare and education highlights the potential for significant societal disruption, in addition to financial losses. The targeting of professional services and real estate may indicate an interest in obtaining sensitive client data for double-extortion purposes. You should know what are data brokers.

Attack Campaigns

As a relatively new ransomware strain, detailed information on specific attack campaigns is still emerging. However, the following points summarize the current understanding:

  • Rapid Emergence: Eldorado quickly gained traction after its appearance in March 2024, indicating effective distribution and affiliate recruitment.

  • Confirmed Victims: The listing of 16 confirmed victims on the group's website demonstrates successful attacks and a willingness to publicly name victims.

  • US Focus: The current concentration of victims in the US suggests a deliberate targeting strategy or a concentration of active affiliates in that region.

  • Cross-Industry Targeting: The variety of affected industries highlights the opportunistic nature of the attacks, focusing on vulnerability rather than specific sectors.

Further research and threat intelligence sharing will be crucial to track the evolution of Eldorado's attack campaigns and identify any emerging patterns or preferred attack vectors. What is threat intelligence and why it is important?

Defenses

Combating Eldorado ransomware, and RaaS threats in general, requires a multi-layered approach to cybersecurity. Generic defenses are important, but specific strategies should also be considered, given Eldorado's characteristics:

Generic Defenses:

  • Robust Backup and Recovery: Regularly back up critical data and systems, ensuring backups are stored offline and tested regularly. This is the most crucial defense against any ransomware.

  • Patch Management: Keep all software and operating systems up-to-date with the latest security patches. This includes promptly patching both Windows and Linux systems, given Eldorado's cross-platform capabilities. Learn more about patch management.

  • Network Segmentation: Segment networks to limit the lateral movement of ransomware. This can contain the impact of a successful breach.

  • Principle of Least Privilege: Restrict user access rights to only what is necessary for their job functions. This limits the potential damage from compromised accounts.

  • Security Awareness Training: Educate employees about phishing, social engineering, and other common attack vectors. Emphasize the importance of not opening suspicious attachments or clicking on unknown links. Learn more about types of phishing attacks.

  • Email Security: Implement strong email filtering and security gateways to block phishing emails and malicious attachments.

  • Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoints for suspicious activity and provide rapid response capabilities.

  • Multi-Factor Authentication (MFA): Enforce MFA for all critical accounts, especially for remote access and administrative accounts.

  • Intrusion Detection/Prevention Systems (IDS/IPS): Utilize IDS/IPS to monitor network traffic for malicious activity.

  • Threat Intelligence Leverage threat intelligence data to know the latest TTPs.

Specific Defenses Targeting Eldorado:

  • Monitor for Go-based Malware: Increase scrutiny of Go-compiled executables, as this is a distinguishing feature of Eldorado.

  • YARA Rules: Develop and deploy YARA rules to detect Eldorado based on its specific characteristics (file extension, ransom note contents, encryption patterns).

  • SMB Security: Implement strict access controls and monitoring for SMB shares to limit the ransomware's ability to spread across the network.

  • ESXi Security: If using VMware ESXi, ensure it is properly secured and patched, as Eldorado has specific variants targeting this platform.

  • Monitor Dark Web Forums: Track activity on forums like RAMP to stay informed about Eldorado's development, affiliate activity, and potential new attack vectors.

Conclusion

Eldorado ransomware represents a significant and evolving threat in the cyber landscape. Its emergence as a new RaaS, targeting both Windows and Linux systems with a robust encryption scheme, underscores the continued innovation and profitability of ransomware operations. The customizable nature of the Eldorado builder allows for tailored attacks, while its cross-platform capabilities expand its potential reach. Organizations must remain vigilant, implementing multi-layered security defenses, staying informed about the latest threat intelligence, and proactively adapting their security posture to counter this and other emerging ransomware threats. The combination of generic security best practices and specific defenses tailored to Eldorado's characteristics is crucial for mitigating the risk of a successful attack. Organizations should know the key strategies to identify vulnerabilities.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive tips like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Threats

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Books

Books

Videos

Videos

Courses

Courses

Certifications

Certifications

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Cyber Security - Books

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe