Novel Eldorado Ransomware Targets Windows and Linux Systems

• Cybercriminals created a new Ransomware-as-a-Service with versions for Windows and Linux.
• The Eldorado ransomware panel offers quite a few personalization parameters for its affiliates.
• Security analysts attribute the creation of this new malware to one or more Russian-speaking individuals.

A novel Ransomware-as-a-Service (RaaS) named Eldorado permits its affiliates to create personalized samples for distribution, asking for customization parameters during the build. The uniquely developed Eldorado malware comes with versions for Windows and Linux, as a report by Group-IB analysts says.

The Eldorado ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption, Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) to encrypt the generated key, and the Server Message Block (SMB) protocol to encrypt files on shared networks.

In March 2024, an ad in Russian was posted on the ransomware forum “RAMP” for an affiliate program for the Eldorado ransomware started by a user going by “$$$,” who advertised looking for pen-testers for a locker and loader. 

The ransomware strain uses a PowerShell command to overwrite the encryptor with random bytes before deleting the file and removing shadow volume copies at the end of execution to cover any traces. The Eldorado ransomware group communicated with its victims using an Onion domain for the chat platform.

The panel, which offers access only to a chat, generates ransomware samples according to affiliate parameters like the target name, ransom note, and file name, and the domain admin’s password or NTLM ( Windows New Technology LAN Manager) hash. The provided encryptor was provided along with the user manual for ESXi, esxi_64, win, and win_64.

The LockBit 3.0 ransomware builder leak in 2022 allowed for the creation of various strains used by threat actors for numerous high-profile attacks, and the Babuk ransomware source code leak in 2021 birthed several ransomware strains, such as LIMPOPO (aka SOCOTRA, FORMOSA, SEXi), BabLock, and Estate. Similarly, this ransomware’s custom strains are expected to have a notable impact.

Cybercriminals have already started deploying Eldorado ransomware attacks as of June 2024, with 16 companies in various industries worldwide listed as victims. There were reports of 13 U.S. companies, two attacks in Italy, and one in Croatia.

The Real Estate industry leads with three attacks, followed by education, professional services, health care, and manufacturing, messaging and telecommunications, business services, administrative services, transportation, government, and military targets.

Group-IB Threat Intelligence analysts saw 27 Dark Web advertisements for RaaS programs in 2022 and 2023 that promoted Yanluowang, Qilin, Knight, qBit, and lesser-known tools. They also observed an increase in the search for skilled affiliates.