‘Eldorado’ Ransomware Targets Windows and Linux Systems

A new ransomware-as-a-service (RaaS) operation named Eldorado has emerged, targeting both Windows and Linux systems with locker variants.

Eldorado was first announced on March 16, 2024, in an advertisement for its affiliate program on the ransomware forum RAMP. The firm, having infiltrated the ransomware group, identified the representative as a Russian speaker and confirmed that Eldorado’s malware does not overlap with known strains like LockBit or Babuk.

“Eldorado ransomware uses Golang for cross-platform compatibility, utilizing Chacha20 for file encryption and RSA-OAEP for key encryption,” researchers reported. “It can also encrypt files on shared networks using the SMB protocol.”

The ransomware comes in four formats: esxi, esxi_64, win, and win_64. As of June 2024, Eldorado’s data leak site listed 16 victims, including companies from the U.S., Italy, and Croatia, spanning industries such as real estate, education, professional services, healthcare, and manufacturing.

An analysis of the Windows version revealed the use of a PowerShell command to overwrite the locker with random bytes before deleting the file to remove traces.

Eldorado joins other new double-extortion ransomware groups like Arcus Media, AzzaSec, dan0n, Limpopo, LukaLocker, Shinra, and Space Bears, highlighting the persistent threat of ransomware.

LukaLocker, operated by a group dubbed Volcano Demon by Halcyon, does not use a data leak site but instead contacts victims by phone to extort payment after encrypting Windows systems.

This development coincides with the discovery of new Linux variants of Mallox ransomware and associated decryptors. Mallox spreads by brute-forcing Microsoft SQL servers and using phishing emails, with recent attacks employing a .NET-based loader named PureCrypter.

Researchers noted, “Attackers use custom Python scripts for payload delivery and victim data exfiltration. The malware encrypts user data and appends a .locked extension to encrypted files.”

Despite efforts by law enforcement and increased security measures, ransomware attacks continue to rise. Data shows that 470 ransomware attacks were recorded in May 2024, up from 356 in April. The majority were attributed to LockBit, Play, Medusa, Akira, 8Base, Qilin, and RansomHub.

To protect against the Eldorado ransomware, organizations should implement comprehensive cybersecurity strategies. This includes regular backups of critical data, maintaining up-to-date security patches, and employing advanced endpoint protection solutions. Network segmentation and restricting administrative privileges can minimize the spread of ransomware.