Key Takeaways
What is Eldorado?
Eldorado was first seen in the wild in March 2024 when it was advertised on the RAMP ransomware forum. Eldorado does not seem to overlap with other known ransomware strains. Affiliates are able to customize the Eldorado ransomware build, specifying target networks, company names, ransom note details, and admin credentials.
Eldorado is written in Go, making it flexible and capable of targeting multiple platforms. The encryptor has four formats: esxi, esxi_64, win, and win_64. Like many ransomware families, Eldorado is capable of deleting shadow volume copies to hinder recovery, avoids encrypting critical system files, and deletes itself to evade detection.
The ransomware uses Chacha20 for encryption and RSA-OAEP for key encryption. It uses the SMB protocol to encrypt files on shared networks. It is also capable of lateral movement. The extension “.00000001” is appended to all encrypted files. Following encryption, Eldorado drops a ransom note in the Documents and Desktop folders.
From March to June, Eldorado had already claimed 16 victims and is gaining momentum. The majority of Eldorado victims thus far are located in the US. Targeted verticals include real estate, education, professional services, healthcare, and manufacturing.
IOCs
PolySwarm has a sample of Eldorado.
Cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7
You can use the following CLI command to search for all Eldorado samples in our portal:
$ polyswarm link list -f Eldorado
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.