In March, a new ransomware called Eldorado, operating as a service (RaaS), has targeted victims in the United States across various sectors such as real estate, education, healthcare, and manufacturing. The cybercriminals behind Eldorado have been actively promoting their service on RAMP forums and seeking partners to join their program.
Eldorado is a unique ransomware that can encrypt both Windows and Linux platforms using different variants with similar operational methods. The malware uses the ChaCha20 algorithm for encryption, generating unique keys and nonces for each locked file while encrypting network shares via SMB to maximize impact. It also deletes shadow volume copies on Windows machines, skips certain file types to prevent system damage, and self-deletes to avoid detection.
Group-IB researchers have infiltrated Eldorado’s operation and found that partners can customize their attacks on Windows by specifying directories to encrypt, skipping certain files, attacking specific network shares, and preventing self-deletion. However, customization options for Linux are more limited.
To defend against Eldorado and other ransomware attacks, Group-IB recommends implementing multi-factor authentication, using Endpoint Detection and Response tools, regularly backing up data, utilizing AI-based analytics for attack detection, prioritizing security patches, educating employees on cybersecurity threats, conducting regular security audits, and avoiding ransom payments.
The Eldorado ransomware poses a significant threat to organizations, as it has demonstrated the capability to cause substantial damage to data, reputation, and business continuity. It is crucial for businesses to take proactive steps to protect against ransomware attacks and ensure the security of their systems and data.
Article Source
https://www.bleepingcomputer.com/news/security/new-eldorado-ransomware-targets-windows-VMware-esxi-vms/