A new ransomware-as-a-service (RaaS) operation, known as Eldorado, has emerged with capabilities to lock files on both Windows and Linux platforms. This malware variant first surfaced on March 16, 2024, when its affiliate program was advertised on the infamous RAMP ransomware forum. The cybersecurity firm Group-IB, based in Singapore, has identified the operation and reported that the representatives are Russian-speaking individuals. Notably, the Eldorado ransomware appears to utilize unique code that does not overlap with previously documented strains like LockBit or Babuk.
The ransomware employs Golang to ensure cross-platform compatibility and utilizes Chacha20 for file encryption, complemented by RSA-OAEP for key encryption. Researchers Nikolay Kichatov and Sharmine Low from Group-IB elaborated on its capabilities, revealing that Eldorado can encrypt files across shared networks using the Server Message Block (SMB) protocol. The variant is packaged in several formats—esxi, esxi_64, win, and win_64—with a dedicated data leak site already showing 16 victims as of June 2024. The majority of affected organizations are based in the United States, alongside a few in Italy and Croatia, spanning diverse industries including real estate, healthcare, education, and manufacturing.
Further analysis of the Windows artifacts associated with Eldorado uncovered a PowerShell command designed to overwrite the locker with random bytes prior to file deletion, indicating an attempt to erase evidence of the attack. This tactic is indicative of the persistence strategy often employed in ransomware operations, where attackers seek to minimize detection risk. Eldorado joins an expanding list of new double-extortion ransomware players, which include Arcus Media, AzzaSec, and several others, signifying an ongoing evolution in cybersecurity threats.
Another ransomware variant, LukaLocker, stands out in this landscape owing to its direct communication approach, where victims are contacted via phone for extortion negotiations post-encryption of their systems, bypassing traditional data leak sites. Recent developments have also unveiled new Linux variants associated with the Mallox ransomware, which are reportedly propagated through brute-force attacks on Microsoft SQL servers and phishing schemes.
As cyberthreats become increasingly sophisticated, the resilience of ransomware groups remains evident. Data compiled by Malwarebytes and NCC Group indicates a staggering increase in ransomware incidents, with recorded attacks rising from 356 in April to 470 in May 2024. Predominantly, these attacks have been attributed to emergent strains like LockBit and Play, highlighting the need for organizations to remain vigilant.
Amid these challenges, the MITRE ATT&CK framework provides insight into the potential tactics and techniques employed by these adversarial groups. Initial access methods, such as phishing and exploiting weak passwords, alongside techniques for persistence and privilege escalation, could likely be at play in these ransomware incidents. As such, continuous engagement in robust cybersecurity practices is essential for organizations to mitigate the risks posed by these evolving threats.
Group-IB emphasizes the adaptability of ransomware groups despite enhanced security measures and law enforcement efforts. As ransomware continues to adapt and thrive, business owners must prioritize cybersecurity strategies to navigate the increasingly perilous cyber landscape. Effective risk management and proactive defenses remain crucial in safeguarding sensitive data and ensuring organizational resilience against these relentless cyber threats.
