New Eldorado ransomware targets Windows, VMware ESXi VMs
- By Cysguard
A new ransomware-as-a-service (RaaS) called Eldorado emerged in March and comes with locker variants for VMware ESXi and Windows.
The gang has already claimed 16 victims, most of them in the U.S., in real estate, educational, healthcare, and manufacturing sectors.
Researchers at cybersecurity company Group-IB monitored the Eldorado’s activity and noticed its operators promoting the malicious service on RAMP forums and seeking skilled affiliates to join the program.
Eldorado also runs a data leak site that lists victims but it was down at the time of writing.
Encrypting Windows and Linux
Eldorado is a Go-based ransomware that can encrypt both Windows and Linux platforms through two distinct variants with extensive operational similarities.
The researchers obtained from the developer an encryptor, which came with a user manual saying that there are 32/64-bit variants available for VMware ESXi hypervisors and Windows.
The malware uses the ChaCha20 algorithm for encryption and generates a unique 32-byte key and 12-byte nonce for each of the locked files. The keys and nonces are then encrypted using RSA with the Optimal Asymmetric Encryption Padding (OAEP) scheme.
After the encryption stage, files are appended the “.00000001” extension and ransom notes named “HOW_RETURN_YOUR_DATA.TXT” are dropped in the Documents and Desktop folders.
Group-IB says that Eldorado is a unique development “and does not rely on previously published builder sources.” Eldorado also encrypts network shares utilizing the SMB communication protocol to maximize its impact and deletes shadow volume copies on the compromised Windows machines to prevent recovery.
The ransomware skips DLLs, LNK, SYS, and EXE files, as well as files and directories related to system boot and basic functionality to prevent rendering the system unbootable/unusable. Finally, it’s set by default to self-delete to evade detection and analysis by response teams.
According to Group-IB researchers, who infiltrated the operation, affiliates can customize their attacks. For instance, on Windows they can specify which directories to encrypt, skip local files, target network shares on specific subnets, and prevent self-deletion of the malware.
On Linux, though, customization parameters stop at setting the directories to encrypt.