A cybersecurity research team has identified a new ransomware called Eldorado that is targeting organizations globally. This ransomware is operated as Ransomware-as-a-Service (RaaS), allowing for decentralized deployment and a wider range of malware variants.
The Eldorado ransomware encrypts files using the ChaCha20 algorithm and employs the RSA-OAEP scheme for key encryption. RaaS enables customers to create their own ransomware samples, making defense and detection more challenging due to its increased reach and customization capabilities. Data recovery is difficult due to its advanced encryption, posing significant risks to data integrity and operations.
The administrator of the RaaS service reportedly used NTLM or administrator passwords to generate ransomware samples. Eldorado utilizes Golang for cross-platform operations, with customization options to enhance its success rate by incorporating company names, target networks, administrator credentials, and ransom note details. It targets VMware ESXi and Windows VMs and executes a self-deletion process to evade detection.
So far, 16 organizations in the US and Europe have reported being attacked by Eldorado, primarily in the real estate sector. Other affected industries include professional services, healthcare, education, manufacturing, business services, messaging and telecommunications, transportation, government, administrative services, and the military.
Group-IB advises organizations to bolster their security measures to mitigate the risks posed by this ransomware. This involves training employees to detect phishing attacks, regularly backing up data, and implementing robust security protocols. These measures are crucial to safeguarding organizations against ransomware threats like Eldorado. For more details, refer to Group-IB’s report.
Article Source
https://www.spiceworks.com/it-security/vulnerability-management/news/eldorado-ransomware-affects-VMware-esxi-windows-vms/
