Ransomware-as-a-service (RaaS) has evolved into a sophisticated, enterprise-like model. From 2022 to 2023, ransomware ads on the dark web increased by 50%, with 27 identified ads. The RAMP forum became the main hub for ransomware hiring, with attacks published on leak sites rising by 74% to 4,583 in 2023. This highlights a growing, structured ecosystem of ransomware threat actors.
Group-IB researchers recently discovered the new Eldorado ransomware targeting both Windows and Linux systems.
Eldorado Ransomware
In March 2024, a new ransomware affiliate program called Eldorado appeared on the RAMP forum. Created by Russian-speaking actors, it uses custom-built malware for Windows and Linux, utilizing Golang, Chacha20, and RSA-OAEP encryption.
By June 2024, Eldorado had targeted 16 companies, mainly in the US (81.25%), with Real Estate being the most affected industry (18.75%). The group operates using a dark web chat platform and a leak site. Eldorado’s malware, written in Golang, can infect both Microsoft and Linux systems. It appends “.00000001” to encrypted file names and uses personalized ransom notes.
The payload includes command line parameters, a gzip-compressed configuration, and logs to a specific IP over websockets. If provided with the correct username/password, it encrypts shared network files using SMB protocol.
Eldorado ransomware uses Chacha20 for file encryption and RSA-OAEP for key encryption, generating unique keys for each file.
After encryption, it self-destructs by overwriting itself with random bytes and deleting itself, also removing Windows shadow volume copies. The Linux version is simpler, encrypting specified directories recursively.
Eldorado’s cross-platform ransomware exemplifies the evolving ransomware threat, with increasing sophistication and dynamic strategies. Organizations must stay vigilant and adapt their cybersecurity measures to counter these persistent threats.
Recommendations
Here are our recommendations:
- Implement Multi-Factor Authentication (MFA)
- Use Endpoint Detection and Response (EDR)
- Maintain Regular Data Backups
- Deploy Advanced Malware Detonation Solutions
- Prioritize Timely Security Patching
- Conduct Employee Cybersecurity Training
- Perform Regular Vulnerability Assessments
- Avoid Paying Ransoms
Eldorado Ransomware –File IOCs from Source – Group-IB
| SHA256 | Classification |
| 1375e5d7f672bfd43ff7c3e4a145a96b75b66d8040a5c5f98838f6eb0ab9f27b | Eldorado (32-bit windows) |
| 7f21d5c966f4fd1a042dad5051dfd9d4e7dfed58ca7b78596012f3f122ae66dd | Eldorado (64-bit windows) |
| cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7 | Eldorado (64-bit windows) |
| b2266ee3c678091874efc3877e1800a500d47582e9d35225c44ad379f12c70de | Eldorado (32-bit linux) |
| dc4092a476c29b855a9e5d7211f7272f04f7b4fca22c8ce4c5e4a01f22258c33 | Eldorado (64-bit linux) |
Network IOCs
- 173.44.141[.]152
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment