Eldorado Strikes Windows and Linux

Eldorado Strikes Windows and Linux

Overview

Eldorado is a new ransomware-as-a-service (RaaS) operation that has emerged targeting both Windows and Linux systems. First appearing on March 16, 2024, when an advertisement for its affiliate program was posted on the ransomware forum RAMP, Eldorado has since gained notoriety for its sophisticated capabilities and widespread impact.

Technical Details

Eldorado ransomware uses Golang for its cross-platform capabilities, employing ChaCha20 for file encryption and RSA-OAEP for key encryption. This allows it to target both Windows and Linux environments with specific variants for VMware ESXi hypervisors:

  • Encryption Variants: The ransomware comes in four formats: esxi, esxi_64, win, and win_64.
  • Encryption Process: Files are encrypted and appended with the ".00000001" extension. Ransom notes are dropped in the form of “HOW_RETURN_YOUR_DATA.TXT”.
  • Network Share Encryption: Eldorado encrypts files on network shares via the SMB protocol.
  • File Exclusions: To maintain system operability, Eldorado skips DLL, LNK, SYS, and EXE files, and essential system boot files.
  • Self-Deletion: By default, the ransomware self-deletes to avoid detection and forensic analysis​ (BleepingComputer)​​ (Vumetric Cyber)​.

Indicators of Compromise (IoCs)

File Extensions: Encrypted files have the extension ".00000001".

Ransom Note: Files named “HOW_RETURN_YOUR_DATA.TXT” are placed in affected directories.

PowerShell Commands: Use of PowerShell to overwrite and delete the locker files​ (BleepingComputer)​.

URLs

  • hxxps://1275[.]ru/ioc/3613/eldorado-ransomware-iocs/?mtm_campaign=rss
  • hxxps://1275[.]ru/ioc/feed

Domain

  • 1275[.]ru

IP Address

  • 173[.]44[.]141[.]152

File Hashes (SHA256)

  • 1375e5d7f672bfd43ff7c3e4a145a96b75b66d8040a5c5f98838f6eb0ab9f27b
  • 7f21d5c966f4fd1a042dad5051dfd9d4e7dfed58ca7b78596012f3f122ae66dd
  • b2266ee3c678091874efc3877e1800a500d47582e9d35225c44ad379f12c70de
  • cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7
  • dc4092a476c29b855a9e5d7211f7272f04f7b4fca22c8ce4c5e4a01f22258c33

Impact

As of June 2024, Eldorado has claimed 16 victims across various industries including real estate, education, healthcare, and manufacturing. The majority of these incidents (13) were in the United States, with others reported in Italy and Croatia​ (BleepingComputer)​​ (Vumetric Cyber)​.

Defense Recommendations

Group-IB has emphasized that Eldorado is a distinct and standalone operation, not a rebranding of previous ransomware groups. Despite its novelty, Eldorado has swiftly shown its capability to cause substantial damage to victims' data, reputation, and business continuity.

To defend against Eldorado and similar ransomware threats, consider the following measures:

  1. Implement Multi-Factor Authentication (MFA): Enhance account security by requiring multiple forms of verification.
  2. Deploy Endpoint Detection and Response (EDR): Use EDR tools to detect and respond to malicious activities promptly.
  3. Perform Regular Data Backups: Routinely back up critical data and store it in secure, offline locations to ensure recovery in case of an attack.
  4. Apply Timely Security Patches: Regularly update and patch software to fix known vulnerabilities.
  5. Conduct Employee Training: Educate staff on recognizing phishing attempts and other common cyber threats.
  6. Utilize Advanced Threat Detection: Implement AI-powered analytics and advanced threat detection tools to monitor and respond to suspicious activities in real-time​ (Vumetric Cyber)​​ (BleepingComputer)​​ (BleepingComputer)​.

Conclusion

The rise of Eldorado ransomware underscores the persistent and evolving nature of ransomware threats. Continuous vigilance, improved cybersecurity practices, and staying informed about emerging threats are essential for organizations to mitigate the risks posed by ransomware.

For more detailed information, you can visit BleepingComputer and Group-IB.