Group-IB researchers report a sharp rise in Eldorado – Golang-based ransomware with cross-platform encryption- operations, targeting various industries. Learn how Eldorado ransomware affiliates operate and how to protect your business from attacks.
Group-IB Threat Intelligence analysts have reported a rise in attacks involving Eldorado, a Go-based ransomware, promoted by its operators on RAMP ransomware forums to find skilled affiliates. The new attack should be concerning for users, especially those on Linux, due to the increasing ransomware threats against Linux servers.
RAMP is reportedly, one of the most popular forums for ransomware gangs, promoting 60% of new RaaS (ransomware-as-a-service) programs between 2022 and 2023.
During this period, Group-IB identified 27 RaaS program ads on dark web forums, including well-known programs like Yanluowang, Qilin, Knight, and qBit and also lesser-known tools. In 2023, the number of ads seeking partners for RaaS programs increased by 1.5 times, indicating a growing demand for skilled affiliates. In March 2024, researchers came across a ransomware affiliate program for Eldorado on RAMP, started by a user going by “$$$” promoting a locker and loader for pentesters.
Eldorado is a cross-platform ransomware written in Golang. It uses the Chacha20 algorithm for file encryption and RSA-OAEP (Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding) to encrypt generated keys on Windows and Linux platforms. It comes with a user manual for 32/64-bit variants for VMware ESXi hypervisors and Windows, making it difficult to recover files without the decryption key.
Eldorado affiliates also use SMB (Server Message Block) protocol to encrypt large files on a victim’s network, using tools like lockers, loaders, encryptors, and ransom notes. SMB enables computer sharing of files and printers over a network. The ransom note also includes a URL for a live chat with attackers to negotiate a ransom price.
“The Eldorado group has managed to develop and deploy a highly effective ransomware builder, which has been used to target both Windows and Linux systems,” researchers wrote in a blog post.
For your information, this group runs a RaaS business providing affiliates with the tools and support needed to carry out ransomware attacks. Affiliates can target both Windows and Linux systems. Researchers believe them to be Russian as their posts on the forums are in Russian and some contain expressions used only by “native Russian speakers.”
Until June 2024, 16 companies across different countries and industries were targeted by Eldorado ransomware attacks, with the US being the most affected. The most targeted industry was Real Estate (3 attacks) accounting for 18.75% of the total attacks.
Other industries affected were Education, Professional Services, Health Care, Manufacturing, Messaging and Telecommunications, Business Services, Administrative Services, Transportation, and Government and Military.
To protect against Eldorado ransomware attacks, businesses should implement multi-factor authentication and credential-based access solutions, and regularly back up data to avoid paying the ransom.
Jason Soroko, Senior Vice President of Product at Sectigo commented on the latest development stating “Eldorado’s evasiveness is enhanced by ‘living off the land’, meaning that it utilizes tools that are already available on infected systems. Windows WMI and PowerShell are examples. These tools can be used to move laterally or encrypt resources.“
“Interestingly, Eldorado can be configured in Windows to not affect certain kinds of files that are critical for normal operation such as DLLs,” Jason explained. “The Windows variant of this malware seems to be highly configurable, which is why we see different variations on the method of attack from the same malware.”
“Eldorado ransomware also exhibits advanced capabilities for lateral movement, notably through USB drive checks. This feature allows it to detect and infect removable media, facilitating the spread of the ransomware to other systems when the infected USB drive is connected elsewhere,” Jason warned. “The malware scans for connected USB drives and automatically copies itself onto them, often using obfuscation techniques to avoid detection by security software.”
