Eldorado: The Golden City of Ransomware-as-a-Service (RaaS) 

Posted by:

|

On:

|

In today’s rapidly evolving technological landscape, new cybercriminal threats are emerging alongside innovations. A ransomware group named Eldorado recently surfaced and, within a few months, successfully breached 16 companies worldwide, including in the United States. This malware poses a threat to both Windows and Linux systems, demonstrating that anyone can be a victim. Eldorado is also actively recruiting and selling stolen data on the dark web. 

Graph of targeted countries and number of attacks by industry – Rewterz

What is Eldorado? 

Eldorado Ransomware first made its presence known in March 2024 on an underground forum called “RAMP.” A user, identified as “$$$,” posted information about an affiliate program for the Eldorado ransomware in Russian native language.

Screenshot of Eldorado member post in Native Russian language – Group-ib

Since then, the group has proven to be experienced in the Ransomware-as-a-Service (RaaS) arena, successfully attacking entities like the City of Pensacola and exfiltrating 1.7TB of data, which they subsequently sold on the dark web. The group is looking to expand its reach further by actively recruiting new, knowledgeable members to join the group. Based on their recent attacks, the group consists of experienced people who are good at exploiting and infiltrating systems. Eldorado also operates a website that lists victims and leaking data, and it promotes its services on dark web forums. Their primary motivation is financial gain, targeting a variety of industries and demanding ransoms to release stolen data. Unlike other strains, such as LockBit or Babuk, Eldorado’s malware does not rely on previously published builder sources. 

Analysis 

Eldorado ransomware is built using Golang, offering cross-platform capabilities. It employs the ChaCha20 encryption algorithm for encrypting files and RSA-OAEP (Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding) for encrypting keys. This robust encryption makes it exceedingly difficult for victims to recover their files without paying the ransom. The group gains access to systems through various methods, including phishing, exploiting unpatched vulnerabilities, brute force, and exploiting weaknesses in Remote Desktop Protocol (RDP) configurations. They also encrypt network shares using the SMB (Server Message Block) protocol. Once inside a network, they use legitimate tools available on infected systems, such as Windows Management Instrumentation (WMI) and PowerShell, to avoid detection.  Logs are then sent to this IP 173.44.141.152 via web sockets with Origin header set to “http://logger”. The IP is currently located in the United States.  

To further avoid detection, Eldorado removes shadow volume copies from affected Windows computers. The ransomware avoids encrypting essential system files like DLLs, LNK, SYS, and EXE files, as well as files and directories critical to system boot and operation, to prevent making the system unbootable. Additionally, Eldorado is configured to self-delete to avoid detection and analysis by response teams. 

For each file encrypted, the ransomware generates a unique 32-byte key and a 12-byte nonce using ChaCha20. These keys and nonces are then encrypted with RSA using OAEP. The ransomware appends the “.00000001” extension to the encrypted files. Victims find a ransom note titled “HOW_RETURN_YOUR_DATA.TXT” in their Documents and Desktop folders, providing instructions on how to contact the group and retrieve their data. 

Screenshot of “HOW_RETURN_YOUR_DATA.TXT” Ransom note – Rewterz

Indicators of Compromise (IOC) 

SHA-1 

caaa1f85dd333c9d19767b5de527152d5acbc2a4 

a108c142dba8c9af5236ec64fe5a1ce04c54a3fb 

b59a5930d3ed292ce412ce956062e02716d93d7a 

a108c142dba8c9af5236ec64fe5a1ce04c54a3fb 

SHA-256 

cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7 

1bf9f5d49df45385cd8df0f6cfebb3b380b30a6f97e3894fe2f60ec76dc679a8 

283b87c195f13b0225ea23249a2d753dbd591509cd02a4b45de264aa60cce9a7 

8badf1274da7c2bd1416e2ff8c384348fc42e7d1600bf826c9ad695fb5192c74 

MD5 

315a9d36ed86894269e0126b649fb3d6 

a393addf3517eba601fe9d621f500e66 

IP Addresses: 

173.44.141.152 

173.44.141.141 

173.44.140.0/22 

131.107.255.255 

172.67.175.166 
 

Domains 

ghufal.answermedia.site 

Mitigation Techniques: 

There are several security mitigation techniques to help prevent against this emerging threat. This includes implementing multi-factor authentication (MFA) and credential-based access solutions, using Endpoint Detection and Response (EDR) to identify and respond to ransomware indicators, taking data backups regularly to minimize damage and data loss, prioritizing and periodically applying security patches to fix vulnerabilities, educate and train employees to recognize and report cybersecurity threats, conduct annual technical audits or security assessments and maintain digital hygiene and ensuring timely patching and updating of all software and systems to close known security gaps, segment networks to limit lateral movement within the organization in case of a breach and more. 

Written by: Eduardo Tornes