In today’s rapidly evolving technological landscape, new cybercriminal threats are emerging alongside innovations. A ransomware group named Eldorado recently surfaced and, within a few months, successfully breached 16 companies worldwide, including in the United States. This malware poses a threat to both Windows and Linux systems, demonstrating that anyone can be a victim. Eldorado is also actively recruiting and selling stolen data on the dark web.
What is Eldorado?
Eldorado Ransomware first made its presence known in March 2024 on an underground forum called “RAMP.” A user, identified as “$$$,” posted information about an affiliate program for the Eldorado ransomware in Russian native language.
Since then, the group has proven to be experienced in the Ransomware-as-a-Service (RaaS) arena, successfully attacking entities like the City of Pensacola and exfiltrating 1.7TB of data, which they subsequently sold on the dark web. The group is looking to expand its reach further by actively recruiting new, knowledgeable members to join the group. Based on their recent attacks, the group consists of experienced people who are good at exploiting and infiltrating systems. Eldorado also operates a website that lists victims and leaking data, and it promotes its services on dark web forums. Their primary motivation is financial gain, targeting a variety of industries and demanding ransoms to release stolen data. Unlike other strains, such as LockBit or Babuk, Eldorado’s malware does not rely on previously published builder sources.
Analysis
Eldorado ransomware is built using Golang, offering cross-platform capabilities. It employs the ChaCha20 encryption algorithm for encrypting files and RSA-OAEP (Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding) for encrypting keys. This robust encryption makes it exceedingly difficult for victims to recover their files without paying the ransom. The group gains access to systems through various methods, including phishing, exploiting unpatched vulnerabilities, brute force, and exploiting weaknesses in Remote Desktop Protocol (RDP) configurations. They also encrypt network shares using the SMB (Server Message Block) protocol. Once inside a network, they use legitimate tools available on infected systems, such as Windows Management Instrumentation (WMI) and PowerShell, to avoid detection. Logs are then sent to this IP 173.44.141.152 via web sockets with Origin header set to “http://logger”. The IP is currently located in the United States.
To further avoid detection, Eldorado removes shadow volume copies from affected Windows computers. The ransomware avoids encrypting essential system files like DLLs, LNK, SYS, and EXE files, as well as files and directories critical to system boot and operation, to prevent making the system unbootable. Additionally, Eldorado is configured to self-delete to avoid detection and analysis by response teams.
For each file encrypted, the ransomware generates a unique 32-byte key and a 12-byte nonce using ChaCha20. These keys and nonces are then encrypted with RSA using OAEP. The ransomware appends the “.00000001” extension to the encrypted files. Victims find a ransom note titled “HOW_RETURN_YOUR_DATA.TXT” in their Documents and Desktop folders, providing instructions on how to contact the group and retrieve their data.
Indicators of Compromise (IOC)
SHA-1
caaa1f85dd333c9d19767b5de527152d5acbc2a4
a108c142dba8c9af5236ec64fe5a1ce04c54a3fb
b59a5930d3ed292ce412ce956062e02716d93d7a
a108c142dba8c9af5236ec64fe5a1ce04c54a3fb
SHA-256
cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7
1bf9f5d49df45385cd8df0f6cfebb3b380b30a6f97e3894fe2f60ec76dc679a8
283b87c195f13b0225ea23249a2d753dbd591509cd02a4b45de264aa60cce9a7
8badf1274da7c2bd1416e2ff8c384348fc42e7d1600bf826c9ad695fb5192c74
MD5
315a9d36ed86894269e0126b649fb3d6
a393addf3517eba601fe9d621f500e66
IP Addresses:
173.44.141.152
173.44.141.141
173.44.140.0/22
131.107.255.255
172.67.175.166
Domains
ghufal.answermedia.site
Mitigation Techniques:
There are several security mitigation techniques to help prevent against this emerging threat. This includes implementing multi-factor authentication (MFA) and credential-based access solutions, using Endpoint Detection and Response (EDR) to identify and respond to ransomware indicators, taking data backups regularly to minimize damage and data loss, prioritizing and periodically applying security patches to fix vulnerabilities, educate and train employees to recognize and report cybersecurity threats, conduct annual technical audits or security assessments and maintain digital hygiene and ensuring timely patching and updating of all software and systems to close known security gaps, segment networks to limit lateral movement within the organization in case of a breach and more.
Written by: Eduardo Tornes