The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Eldorado Ransomware

Jul 15, 2024 2:43:58 PM / by The Hivemind

ELDORADOVerticals Targeted: Real Estate, Education, Professional Services, Healthcare, Manufacturing

Executive Summary

Eldorado is a relatively new ransomware as a service (RaaS) that targets both Windows and Linux systems. The ransomware has already claimed 16 victims and is gaining momentum.

Key Takeaways

  • Eldorado is a relatively new ransomware as a service (RaaS) that targets both Windows and Linux systems. 
  • The encryptor has four formats: esxi, esxi_64, win, and win_64.
  • Eldorado uses Chacha20 for encryption and RSA-OAEP for key encryption. 
  • Affiliates are able to customize the Eldorado ransomware build, specifying target networks, company names, ransom note details, and admin credentials.

What is Eldorado?

Eldorado is a relatively new ransomware as a service (RaaS) that targets both Windows and Linux systems. Group-IB recently reported on Eldorado.

Eldorado was first seen in the wild in March 2024 when it was advertised on the RAMP ransomware forum. Eldorado does not seem to overlap with other known ransomware strains. Affiliates are able to customize the Eldorado ransomware build, specifying target networks, company names, ransom note details, and admin credentials. 

Eldorado is written in Go, making it flexible and capable of targeting multiple platforms. The encryptor has four formats: esxi, esxi_64, win, and win_64. Like many ransomware families, Eldorado is capable of deleting shadow volume copies to hinder recovery, avoids encrypting critical system files, and deletes itself to evade detection.

The ransomware uses Chacha20 for encryption and RSA-OAEP for key encryption. It uses the SMB protocol to encrypt files on shared networks. It is also capable of lateral movement. The extension “.00000001” is appended to all encrypted files. Following encryption, Eldorado drops a ransom note in the Documents and Desktop folders. 

From March to June, Eldorado had already claimed 16 victims and is gaining momentum. The majority of Eldorado victims thus far are located in the US. Targeted verticals include real estate, education, professional services, healthcare, and manufacturing. 

IOCs

PolySwarm has a sample of Eldorado.

 

Cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7 

 

You can use the following CLI command to search for all Eldorado samples in our portal:

$ polyswarm link list -f Eldorado

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Healthcare, Education, Manufacturing, Real Estate, Professional Services

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts