In March, researchers discovered Eldorado, a new ransomware-as-a-service (RaaS). A Russian-speaking representative of Eldorado posted on the RAMP forums to advertise the malicious program and recruit penetration testers to join the group. Eldorado appears to be a standalone ransomware operation and not a rebrand of a prior group. As of June, Eldorado has claimed 16 victims, 13 of which were companies based in the United States. So far, Eldorado has targeted various industries, including real estate, education, manufacturing, and healthcare.

Eldorado can encrypt Linux and Windows systems using two distinct malware variants. While the two versions are unique, they have many similarities in the base build, including being written in Golang and using Chacha20 for file encryption and Rivest Shamir Adleman (RSA) with Optimal Asymmetric Encryption Padding (OAEP) for key encryption. During encryption, the “.00000001” extension is appended to files, and after the encryption process completes, a ransom note named “HOW_RETURN_YOUR_DATA.TXT” is placed in the Documents folder and on the Desktop. On Windows systems, shadow volume copies are removed to prevent recovery. The malware is programmed to delete itself automatically to avoid detection and analysis.

The operation allows for customization of its attack parameters in both variants. Windows customization includes determining which directories to encrypt or skip, targeting network shares on specified subnets, including local files, and preventing self-deletion of the malware. Linux customization is limited to choosing directories to encrypt.

Recommendations

• Review the Ransomware: Risk Mitigation Strategies NJCCIC product for more information on ransomware and techniques to mitigate the risk of data loss.
• Facilitate user awareness training to include these types of mitigation techniques.
• Back up data regularly to minimize data loss.
• Maintain robust and up-to-date endpoint detection tools on every endpoint.
• Consider leveraging behavior-based detection tools rather than signature-based tools.
• Report ransomware and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.