Eldorado Ransomware Emerges with Cross-Platform Encryption Capabilities
An emerging ransomware-as-a-service (RaaS) operation called Eldorado has introduced locker variants designed to encrypt files on both Windows and Linux systems.
Eldorado made its first appearance on March 16, 2024, with an advertisement for its affiliate program posted on the ransomware forum RAMP, according to cybersecurity firm Group-IB based in Singapore.
Researchers Nikolay Kichatov and Sharmine Low from Group-IB noted that Eldorado ransomware utilizes Golang for cross-platform capabilities, employing Chacha20 for file encryption and RSA-OAEP for key encryption. The malware can encrypt files on shared networks using the SMB protocol.
The encryptor for Eldorado comes in four formats, with its data leak site already listing 16 victims as of June 2024, mainly located in the U.S., Italy, and Croatia across various industry verticals.
Further analysis revealed that the Windows version of Eldorado uses a PowerShell command to overwrite the locker with random bytes before deleting the file in an attempt to cover its tracks.
Eldorado joins the list of new double-extortion ransomware players such as LukaLocker, Arcus Media, AzzaSec, and others, highlighting the persistent threat posed by ransomware attacks.
In a related development, Avast has released a decryptor for DoNex and its predecessors, while Uptycs researchers have identified new Linux variants of Mallox ransomware and associated decryptors.
Despite efforts by law enforcement and cybersecurity firms, ransomware attacks continue to rise, with 470 attacks recorded in May 2024 alone. Organizations are urged to remain vigilant and proactive in their cybersecurity efforts to combat these evolving threats.
