Eldorado, a new ransomware-as-a-service (RaaS) group, has been linked to 16 ransomware attacks, with 13 occurring in the United States. The group targets VMware ESX servers and focuses on industries such as real estate, education, professional services, healthcare, and manufacturing. Eldorado first appeared on the “RAMP” forum in March 2024 and distributes versions of the ransomware on both Windows and Linux platforms.
Researchers from Group-IB discovered that Eldorado uses Golang (Go) for cross-platform functionality and employs ChaCha20 for file encryption along with RSA-optimal-asymmetric-encryption-padding (RSA-OAEP) for key encryption. The ability of Go programs to compile code into self-contained binaries across platforms makes it an attractive option for malware authors.
Eldorado’s ability to shut down and encrypt virtual machines before encrypting files poses a significant challenge to business continuity and data availability. Callie Guenther, senior manager of threat research at Critical Start, advises defenders to implement multi-factor authentication, endpoint detection and response solutions, regular data backups, timely patches, and ongoing employee training to mitigate these threats.
Jason Soroko, senior vice president of product at Sectigo, highlighted Eldorado’s use of “living off the land” tactics, where the ransomware leverages tools already present on infected systems, such as Windows WMI and PowerShell. Soroko also noted that Eldorado can be configured in Windows to avoid affecting critical file types like DLLs, making it highly adaptable and configurable.
As attackers increasingly target virtualized environments like VMware ESXi servers, it is imperative for organizations to remain vigilant against evolving threats like Eldorado. By implementing best practices such as multi-factor authentication, endpoint detection and response solutions, regular data backups, timely patches, and employee training, businesses can better protect themselves against ransomware attacks and ensure business continuity.
Article Source
https://www.scmagazine.com/news/new-ransomware-group-eldorado-targets-mainly-us-organizations