Eldorado Ransomware Targets Windows and Linux Systems

Home/BOTNET, Compromised, Exploitation, Linux Malware, Malware, Ransomware, Security Advisory, Security Update, windows/Eldorado Ransomware Targets Windows and Linux Systems

Eldorado Ransomware Targets Windows and Linux Systems

Ransomware-as-a-service (RaaS) has evolved into a sophisticated, enterprise-like model. From 2022 to 2023, ransomware ads on the dark web increased by 50%, with 27 identified ads. The RAMP forum became the main hub for ransomware hiring, with attacks published on leak sites rising by 74% to 4,583 in 2023. This highlights a growing, structured ecosystem of ransomware threat actors.

Group-IB researchers recently discovered the new Eldorado ransomware targeting both Windows and Linux systems.

Eldorado Ransomware

In March 2024, a new ransomware affiliate program called Eldorado appeared on the RAMP forum. Created by Russian-speaking actors, it uses custom-built malware for Windows and Linux, utilizing Golang, Chacha20, and RSA-OAEP encryption.

By June 2024, Eldorado had targeted 16 companies, mainly in the US (81.25%), with Real Estate being the most affected industry (18.75%). The group operates using a dark web chat platform and a leak site. Eldorado’s malware, written in Golang, can infect both Microsoft and Linux systems. It appends “.00000001” to encrypted file names and uses personalized ransom notes.

The payload includes command line parameters, a gzip-compressed configuration, and logs to a specific IP over websockets. If provided with the correct username/password, it encrypts shared network files using SMB protocol.

Eldorado ransomware uses Chacha20 for file encryption and RSA-OAEP for key encryption, generating unique keys for each file.

After encryption, it self-destructs by overwriting itself with random bytes and deleting itself, also removing Windows shadow volume copies. The Linux version is simpler, encrypting specified directories recursively.

Eldorado’s cross-platform ransomware exemplifies the evolving ransomware threat, with increasing sophistication and dynamic strategies. Organizations must stay vigilant and adapt their cybersecurity measures to counter these persistent threats.


Here are our recommendations:

  • Implement Multi-Factor Authentication (MFA)
  • Use Endpoint Detection and Response (EDR)
  • Maintain Regular Data Backups
  • Deploy Advanced Malware Detonation Solutions
  • Prioritize Timely Security Patching
  • Conduct Employee Cybersecurity Training
  • Perform Regular Vulnerability Assessments
  • Avoid Paying Ransoms

Eldorado Ransomware –File IOCs from Source – Group-IB

1375e5d7f672bfd43ff7c3e4a145a96b75b66d8040a5c5f98838f6eb0ab9f27bEldorado (32-bit windows)
7f21d5c966f4fd1a042dad5051dfd9d4e7dfed58ca7b78596012f3f122ae66ddEldorado (64-bit windows)
cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7Eldorado (64-bit windows)
b2266ee3c678091874efc3877e1800a500d47582e9d35225c44ad379f12c70deEldorado (32-bit linux)
dc4092a476c29b855a9e5d7211f7272f04f7b4fca22c8ce4c5e4a01f22258c33Eldorado (64-bit linux)

Network IOCs

  • 173.44.141[.]152

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!