A new player has entered the cybercrime arena. A ransomware-as-a-service (RaaS) named Eldorado, first observed in March, has been specifically designed to target VMware ESXi and Windows systems. The group behind this malicious software has already claimed 16 victims, the majority of whom are based in the U.S., spanning sectors such as real estate, education, healthcare, and manufacturing.
Group-IB, a cybersecurity company, has been closely monitoring Eldorado's activities. They noted the operators advertising their service on RAMP forums, actively recruiting skilled affiliates to join their program. Eldorado also maintains a data leak site to list its victims, although it was not accessible at the time of writing.
Eldorado is a Go-based ransomware capable of encrypting both Windows and Linux platforms. It operates through two distinct variants that share significant operational similarities. The malware uses the ChaCha20 algorithm for encryption, generating a unique 32-byte key and 12-byte nonce for each locked file. These keys and nonces are then encrypted using RSA with the Optimal Asymmetric Encryption Padding (OAEP) scheme.
Once the encryption process is complete, files are appended with the “.00000001” extension and ransom notes named “HOW_RETURN_YOUR_DATA.TXT” are left in the Documents and Desktop folders. The ransomware also encrypts network shares using the SMB communication protocol to maximize its impact and deletes shadow volume copies on the compromised Windows machines to prevent recovery.
Interestingly, Eldorado avoids DLLs, LNK, SYS, and EXE files, as well as files and directories related to system boot and basic functionality. This is done to avoid rendering the system unbootable or unusable. In a unique move, it’s set by default to self-delete to evade detection and analysis by response teams.
According to Group-IB researchers, who managed to infiltrate the operation, affiliates have the ability to customize their attacks. For instance, on Windows, they can specify which directories to encrypt, skip local files, target network shares on specific subnets, and prevent self-deletion of the malware. However, on Linux, customization parameters are limited to setting the directories to encrypt.
