Monday, July 22, 2024

New Eldorado Ransomware Attacking Windows And Linux Systems

Ransomware-as-a-service (RaaS) has evolved into sophisticated enterprise-like model. From 2022 to 2023, ransomware programs advertised on the dark web increased by half, with 27 ads identified.

The RAMP forum was made the main hub of hiring for ransomware. Attacks published on specific leak sites rose by a margin of 74% which reached 4,583 in 2023.

This suggests an evolving and structured ecosystem of threat actors specializing in deploying ransomware.

Cybersecurity researchers at Group-IB recently identified that the new Eldorado ransomware has been attacking the Windows and Linux systems.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Eldorado Ransomware-as-a-service

In March 2024, a new ransomware affiliate program called Eldorado emerged on the RAMP forum. 

Developed by Russian-speaking actors, it uses custom-built malware for Windows and Linux, employing Golang, Chacha20, and RSA-OAEP encryption. 

New Eldorado Ransomware (Source – Group-IB)

By June 2024, Eldorado had attacked 16 companies, primarily in the US (81.25%), with Real Estate being the most targeted industry (18.75%). The group uses a dark web chat platform and a leak site for operations.

It was written in Golang, a programming language that can run on different operating systems, so it can infect both Microsoft and Linux users.

It adds “.00000001” to the names of all the files it encrypts and also uses personalized ransom notes.

Ransom note (Source – Group-IB)

The payload has command line parameters, a configuration compressed with gzip, logging to a specific IP over websockets, and if correctly provided with username/password combination, would also encrypt shared network files within an organization using SMB protocol.

Eldorado ransomware uses Chacha20 for file encryption and RSA-OAEP for key encryption. Besides this, it also generates unique keys for each file as well. 

Post-encryption, it self-destructs by overwriting with random bytes and deleting itself, unless specified otherwise. Even it also removes the Windows shadow volume copies. 

The Linux version is simpler, only encrypting the specified directories recursively.

Threat actors always change their strategies, even though ransomware is becoming more popular.

This trend is best exemplified by the Eldorado group, which quickly become a significant risk with its sophisticated cross-platform ransomware.

The dynamic nature of the ransomware threat is brought out by their success and the ongoing creation of new strains of malware and affiliate programs.

Organizations should consequently remain vigilant as this threat remains persistent and they have to change their cybersecurity approach.


Here below we have mentioned all the recommendations:-

  • Implement multi-factor authentication (MFA)
  • Use Endpoint Detection and Response (EDR) for early threat detection.
  • Maintain regular data backups
  • Deploy advanced malware detonation solutions
  • Prioritize timely security patching
  • Conduct employee cybersecurity training
  • Perform regular vulnerability assessments
  • Avoid paying ransoms


IoCs (Source – Group-IB)

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo


Latest articles

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. Such...

Hackers Claim Breach of Daikin: 40 GB of Confidential Data Exposed

Daikin, the world's largest air conditioner manufacturer, has become the latest target of the...

Emojis Are To Express Emotions, But CyberCriminals For Attacks

There are 3,664 emojis that can be used to express emotions, ideas, or objects...

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024,...

Data Breach Increases by Over 1,000% Annually

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support...

UK Police Arrested 17-year-old Boy Responsible for MGM Resorts Hack

UK police have arrested a 17-year-old boy from Walsall in connection with a notorious...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles