Eldorado Ransomware Strikes Windows and Linux Networks

Written by

Security researchers have uncovered significant insights into the latest iteration of Ransomware-as-a-Service (RaaS) known as Eldorado. 

The sophisticated malware, designed to target both Windows and Linux operating systems, utilizes the programming language Golang to facilitate its cross-platform attacks. 

"The ability to infect more than one OS is always noteworthy as it expands the attack reach. However, it's the combination of encryption methods and ransomware creation from the ground up that is worth noting," commented Ngoc Bui, cybersecurity expert at Menlo Security.

"This signals to me that they may have experienced skilled ransomware coders in their ranks. These individuals likely came with a price, suggesting this gang might also have good resources behind it," Bui added. 

According to an advisory published by Group-IB last week, the ransomware employs advanced encryption methods such as Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption. This allows it to effectively encrypt files across shared networks utilizing the Server Message Block (SMB) protocol.

"Eldorado ransomware also exhibits advanced capabilities for lateral movement, notably through USB drive checks," explained Jason Soroko, senior vice president of product at Sectigo

"This feature allows it to detect and infect removable media, facilitating the spread of the ransomware to other systems when the infected USB drive is connected elsewhere. The malware scans for connected USB drives and automatically copies itself onto them, often using obfuscation techniques to avoid detection by security software."

Read more on USB-targeting malware: USB Drives Used as Trojan Horses By Camaro Dragon

Additionally, Group-IB's investigation into Eldorado revealed an operational model where cyber-criminals recruit affiliates through underground forums like RAMP, seeking individuals with technical expertise to join their illicit ventures. 

From a technical standpoint, the malware's developers offer a range of customizable features, allowing affiliates to tailor attacks to specific target networks or organizations. 

Notably, Eldorado has already victimized numerous companies, with data from its leak site showing 16 confirmed cases as of June 2024, predominantly in the US but also affecting industries worldwide, including real estate, healthcare and education.

This discovery comes amid a broader trend identified by Group-IB, showing a sharp rise in advertisements for RaaS programs on dark web forums. This surge, which saw a 1.5-fold increase in 2023 compared to the previous year, underscores the growing sophistication and reach of cyber-criminal enterprises.

"Defenders should implement multi-factor authentication, endpoint detection and response solutions, regular data backups, timely patching and continuous employee training," warned Callie Guenther, senior manager of cyber threat research at Critical Start.

What’s hot on Infosecurity Magazine?