Eldorado, a new ransomware-as-a-service (RaaS), was released in March and has locker variations for VMware ESXi and Windows. The gang has already claimed 16 victims, the majority of whom are in the United States and work in real estate, education, healthcare, and manufacturing.
Researchers at cybersecurity firm Group-IB monitored Eldorado's activity and discovered its operators advertising the malicious service on RAMP forums and looking for skilled affiliates to join the affiliate programme. Eldorado also maintains a data leak site that lists victims, although it was unavailable at the time of writing.
Eldorado is a Go-based ransomware that can encrypt Windows and Linux platforms using two unique variations with numerous operational similarities. The researchers acquired an encryptor from the developer, along with a user manual indicating that 32/64-bit variations are available for VMware ESXi hypervisors and Windows. According to Group-IB, Eldorado is a unique development that does not rely on previously available builder sources.
The malware encrypts each locked file with the ChaCha20 algorithm, generating a unique 32-byte key and 12-byte nonce. The keys and nonces are then encrypted with RSA under the Optimal Asymmetric Encryption Padding (OAEP) scheme.
After encryption, files are added with the ".00000001" extension, and ransom notes named "HOW_RETURN_YOUR_DATA.TXT" are placed in the Documents and Desktop folders.
Eldorado additionally encrypts network shares using the SMB communication protocol to expand its impact and deletes shadow volume copies from compromised Windows machines to prevent recovery.
To avoid the system from becoming unbootable/unusable, the ransomware skips DLLs, LNK, SYS, and EXE files, as well as files and directories associated with system boot and basic operation. Finally, it is configured by default to self-delete in order to avoid detection and analysis by response teams.
Researchers from Group-IB, who infiltrated the group, claim that affiliates have the ability to customise their attacks. On Windows, for example, attackers can choose which directories to encrypt, skip local files, target network shares on particular subnets, and prevent the malware from deleting itself. However, Linux customisation parameters only allow threat actors to encrypt the directories.