Cybersecurity Threat Advisory: Emergence of Eldorado RaaS

A new ransomware-as-a-service (RaaS), known as Eldorado, recently emerged, introducing locker variants for both VMware ESXi and Windows systems. Eldorado has rapidly demonstrated its ability to inflict severe damage on victims’ data, reputation, and business continuity. Review this Cybersecurity Threat Advisory to mitigate your risk from this ransomware.

What is the threat?

Eldorado allows skilled affiliates to tailor their attack and promote the malicious service on dark web forums, including a notable advertisement on the ransomware forum RAMP. Additionally, Eldorado has set up a website for listing victims affected by their attacks.

Why is it noteworthy?

Eldorado is considered a significant advancement in ransomware strategies, encrypting files using the ChaCha20 algorithm and employing the RSA-OAEP scheme for key encryption. Operating as a RaaS, Eldorado allows clients to generate their malware samples, decentralizing deployment. This model enhances its reach and complicates mitigation and detection efforts. With its advanced encryption techniques, recovering data becomes challenging, posing a significant risk to data integrity and operational continuity.

What is the exposure or risk?

Eldorado’s ransomware builder is distinctive in its approach. Its operators do not rely on previously leaked, publicly available ransomware tools such as LockBit 3.0 or the Babuk ransomware source code. Developed in the Go language, Eldorado has versions tailored for both Windows and Linux systems, offering an encryptor in four formats: esxi, esxi_64, win, and win_64. During attacks, Eldorado encrypts files with the extension “.00000001” and leaves a ransom note in victims’ Documents and Desktop folders, instructing them to contact the threat actor. The ransomware employs ChaCha20 for file encryption and Rivest-Shamir-Adleman Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption.

Eldorado also removes shadow volume copies from the affected Windows computers to hinder recovery and encrypts network shares using the SMB protocol to maximize its effect. It avoids encrypting critical system files and directories to ensure the system remains bootable.

What are the recommendations?

Barracuda recommends the following actions to mitigate your risk:

• Implement multi-factor authentication (MFA) and credential-based access solutions.
• Use Endpoint Detection and Response (EDR) to quickly identify and respond to ransomware indicators.
• Backup regularly to minimize damage and data loss.
• Utilize AI-based analytics and advanced malware detonation for real-time intrusion detection and response.
• Prioritize and periodically apply security patches to fix vulnerabilities.
• Educate and train employees to recognize and report cybersecurity threats.
• Conduct annual technical audits or security assessments and maintain digital hygiene.
• Refrain from paying ransom as it rarely ensures data recovery and can lead to more attacks.

References

For more in-depth information about the recommendations, please visit the following links:

• https://duo.com/decipher/new-eldorado-ransomware-group-targets-windows-linux-systems
• https://www.chrisupchurch.net/new-eldorado-ransomware-targets-windows-vmware-esxi-vms/
• https://www.spiceworks.com/it-security/vulnerability-management/news/eldorado-ransomware-affects-vmware-esxi-windows-vms/

Note: This was originally published at SmarterMSP.