Insights into Eldorado Ransomware
Security researchers have recently shed light on the latest version of Ransomware-as-a-Service (RaaS) called Eldorado. This sophisticated malware is capable of targeting both Windows and Linux operating systems, using the Golang programming language to carry out its cross-platform attacks.
According to cybersecurity expert Ngoc Bui, the combination of encryption methods and the creation of ransomware from scratch is particularly noteworthy. Bui believes that skilled ransomware coders may be behind Eldorado, indicating that the group responsible for it likely has significant resources at their disposal.
Eldorado ransomware utilizes advanced encryption techniques such as Chacha20 and RSA-OAEP, enabling it to effectively encrypt files across shared networks using the SMB protocol. Moreover, the malware has advanced capabilities for lateral movement, including the ability to infect removable media like USB drives.
Jason Soroko, senior vice president of product at Sectigo, highlighted Eldorado’s ability to automatically copy itself onto connected USB drives, making it easier for the ransomware to spread to other systems undetected.
Group-IB’s investigation into Eldorado also revealed an operational model where cyber-criminals recruit affiliates through underground forums, seeking individuals with technical expertise to join their illicit activities. The malware’s developers offer customizable features that allow affiliates to tailor attacks to specific target networks or organizations.
Eldorado has already targeted numerous companies, with data from its leak site confirming 16 cases as of June 2024, affecting industries worldwide including real estate, healthcare, and education. This discovery coincides with a growing trend identified by Group-IB, showing an increase in advertisements for RaaS programs on dark web forums.
Callie Guenther, senior manager of cyber threat research at Critical Start, emphasized the importance of implementing multi-factor authentication, endpoint detection and response solutions, regular data backups, timely patching, and continuous employee training to defend against ransomware attacks.
