A new ransomware-as-a-service (RaaS) operation called Eldorado comes with file encryption locker options on Windows and Linux systems.
Eldorado first appeared on March 16, 2024, when an advertisement for an affiliate program was posted on the RAMP ransomware forum, according to Group-IB, headquartered in Singapore.
The cybersecurity firm that penetrated the ransomware group noted that its representative is Russian-speaking and that the malware does not match previously leaked strains such as LockBit or Babuk.
“The Eldorado ransomware exploits Golang for cross-platform capabilities, using Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption,” researchers Nikolai Kichatov and Sharmin Lowe. said. “It can encrypt files on shared networks using the Server Message Block (SMB) protocol.”
The encoder for Eldorado comes in four formats, namely esxi, esxi_64, win and win_64, and the data leak site already lists 16 victims as of June 2024. Thirteen targets are located in the US, two in Italy, and one in Croatia. .
These companies span various industry verticals such as real estate, education, professional services, healthcare, and manufacturing, among others.
Further analysis of the Windows version artifacts revealed the use of a PowerShell command to overwrite the locker with random bytes before deleting the file in an attempt to clean up the traces.
Eldorado is the latest in a string of new double-edged ransomware that have appeared recently, including Middle arch, AzzaSec, dan0n, Limpopo (aka SOCOTRA, FORMOSA, SEXI), Cabinet, Shinraand Space bears again underscoring the persistent and persistent nature of the threat.
Linked to an operator called Halcyon Volcano Demon, LukaLocker is notable for not using a data breach site, but calling victims by phone to demand and negotiate payment after encrypting Windows workstations and servers.
The development coincides with the release of new Linux variants Mallox (aka Fargo, TargetCompany, Mawahelper) ransomware, as well as decryptors associated with seven different builds.
Mallox is known to spread by bruteforcing Microsoft SQL servers and phishing emails to target Windows systems, with recent intrusions also using a .NET-based loader called PureCrypter.
“Attackers use custom Python scripts to deliver payloads and steal victim’s information,” Uptycs researchers Tejaswini Sandapolo and Shilpesh Trivedi said. “The malware encrypts user data and appends the .locked extension to encrypted files.”
The decryptor was also available for DoNex and its predecessors (Muse, fake LockBit 3.0 and DarkRace) from Avast, taking advantage of a flaw in the cryptographic scheme. Czech cyber security company said since March 2024, in cooperation with law enforcement, he has been “tacitly providing the decryptor” to victims.
“Despite law enforcement efforts and enhanced security measures, ransomware groups continue to adapt and thrive,” Group-IB said.
The data is shared Malwarebytes and NCC Group based on victims listed on leak sites, shows that 470 ransomware attacks were reported in May 2024, compared to 356 in April. LockBit, Play, Medusa, Akira, 8Base, Qilin, RansomHub are responsible for most of the attacks.
“The constant development of new strains of ransomware and the emergence of sophisticated affiliate programs demonstrate that the threat is far from being contained,” Group-IB said. “Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate the risks associated with these ever-evolving threats.”
