A new ransomware-as-a-service called Eldorado has been targeting Windows and VMware ESXi environments in the US since March, primarily in the education, real estate, and healthcare sectors. Eldorado, which first appeared on the RAMP forum, offers an affiliate program for partners to customize their attacks, taking advantage of Go programs for cross-platform functionality and encryption methods like Chacha20 and RSA-OAEP. The ransomware deletes shadow volume copies, avoids critical system files, and self-deletes to evade detection.
Eldorado’s evasion tactics include “living off the land,” using native tools like Windows WMI and PowerShell to move laterally and encrypt resources. The malware can be configured to avoid certain file types essential for system operation, making it highly adaptable. While the primary motive for the attack appears to be monetary gain, the ability to shut down VMs before encrypting files could have a significant impact on business continuity and data availability.
Cybersecurity experts note that Eldorado’s ability to infect multiple operating systems, combined with its encryption methods developed from scratch, suggests a skilled group of ransomware programmers behind the operation. This hints at good resources and a potentially ambitious roadmap for the threat actor. Organizations are advised to ensure their threat analysis analysts monitor these groups and share actionable information to stay ahead of potential infections. Proactive defense measures should include patching systems, using strong authentication methods, and remaining vigilant for signs of this malware.
Article Source
https://www.darkreading.com/endpoint-security/eldorado-ransomware-target-VMware-esxi