Eldorado Ransomware: A Dark Web Analysis by SOCRadar® Cyber Intelligence Inc.

The Eldorado ransomware group, which reportedly emerged in March, operates a new Ransomware-as-a-Service (RaaS) platform featuring locker variants specifically designed for VMware ESXi and Windows systems. However, this group, which is thought to be of Russian origin, might have older ties.

This post delves into the origins, tactics, and impact of Eldorado, providing a comprehensive overview of this notorious cybercriminal organization.

Threat Actor Card for Eldorado Ransomware

Threat Actor Card for Eldorado Ransomware

Who is Eldorado Ransomware?

El Dorado, often linked to the legend of a golden city or kingdom, originally referred to a 16th-century Muisca chief in Colombia known as El Hombre Dorado (“The Golden Man”) or El Rey Dorado (“The Golden King”). This chief covered himself in gold dust and submerged in Lake Guatavita as an initiation rite. Similarly, threat actors using this alias aim to make their own fortune.

A depiction of Eldorado Ransomware created with Bing AI

A depiction of Eldorado Ransomware created with Bing AI

The Eldorado ransomware group appears to have started recruiting affiliates or members on the RAMP forum around March, 2024. Known for its distinctive ransomware, which targets both Windows and Linux systems, Eldorado has rapidly garnered its first attention in June. As a Ransomware-as-a-Service (RaaS) platform, it enables affiliates to use their ransomware toolkit to execute attacks, greatly expanding their reach and impact.

Post of the group’s possible owner on March 15, the Russian text as translated by Google: “I will provide people and teams with a locker on mutually beneficial terms, PM everyone immediately with tox”

Post of the group’s possible owner on March 15, the Russian text as translated by Google: “I will provide people and teams with a locker on mutually beneficial terms, PM everyone immediately with tox”

The SOCRadar Dark Web team has been monitoring the group’s data leak site since it emerged in June. In an article published in early July, it was reported that the group’s activities were ongoing since at least March 2024. However, it is possible that the group has been active for a longer period than currently known in a different shape or form.

A post of the same threat actor in November, as translated by Google: “I'm constantly looking for pensters to join my team, I have everything, I don’t need anything more”

A post of the same threat actor in November, as translated by Google: “I’m constantly looking for pensters to join my team, I have everything, I don’t need anything more”

The threat actor with the pseudonym $$$ was looking for pen-testers to join his team on the Russian hacking forum called RAMP in November 2023. Such postings can be, and have been, early signals of a ransomware group.

One of the latest post from the threat actor in 23 of July, as translated by Google: “Once again I’m raising a locker that no one needs in the hope of attracting the attention of partners and clients”

One of the latest post from the threat actor in 23 of July, as translated by Google: “Once again I’m raising a locker that no one needs in the hope of attracting the attention of partners and clients”

The ransomware group leader is still looking for affiliates in the same forum. The main problem of the group, which has not been active since June, seems to be the lack of affiliates and partners. So, let’s see what danger this group could pose if it can reach a wider affiliate network.

How Eldorado Ransomware Attacks?

Initial Access and Exploitation

Although the exact strategy used by the group at the initial access point is unclear, it can be inferred that their primary access vector involves exploiting unpatched vulnerable systems, especially given that their known samples target VMware ESXi -a bare metal hypervisor, meaning it is installed directly on a physical server, allowing multiple virtual machines to run on the same hardware- servers. Additionally, the group likely seeks to obtain accesses such as Remote Desktop Protocol (RDP) access, and their search for pen-testers prior to the ransomware operation further support these hypotheses.

Targeting VMware ESXi

One of Eldorado’s notable strategies involves targeting VMware ESXi servers. These servers are critical in enterprise environments, often hosting numerous virtual machines. By exploiting vulnerabilities in outdated ESXi versions, Eldorado can deploy ransomware that encrypts virtual machines, causing significant disruption and demanding hefty ransoms for decryption keys.

Furthermore, Eldorado has samples that have capabilities to attack both Windows and Linux environments. This dual-targeting approach expands their potential attack surface and makes them a versatile threat to various organizations.

Technical Details of Eldorado Ransomware

The group’s affiliate program’s details included a contact on the encrypted chat platform, TOX. The forum post, written in Russian, revealed that the ransomware was accompanied by a loader and that the attacker is still actively seeking team members for their operations.

This Russian-speaking operator primarily used a chat platform accessible via the Onion domain to communicate with victims. The ransomware’s control panel allows affiliates to generate ransomware samples by specifying parameters such as the name of the targeted network or company, the file name and text for the ransom note, and either the domain admin’s password or its hash.

Researchers obtained a copy of the Eldorado encryptor along with a user manual. The ransomware is available in four versions: esxi, esxi_64, win, and win_64.

Technically, Eldorado ransomware is written in Golang, known for its cross-platform capabilities. It supports both Windows and Linux operating systems.

Basic properties of a known sample, written in Golang (VirusTotal)

Basic properties of a known sample, written in Golang (VirusTotal)

According to researchers, the ransomware encrypts files using Chacha20 and RSA-OAEP. Each encrypted file is appended with a 32-byte key and 12-byte nonce, which are encrypted with RSA-OAEP and added to the end of the file.

The Windows version of Eldorado ransomware allows various command-line parameters to customize its operation, including options to specify directories for encryption, skip local files, define networks, and manage SMB credentials. It also includes a self-deletion mechanism, with an option to bypass this cleanup using the -keep flag. The Linux version is simpler, supporting only the -path argument, but uses the same encryption algorithms.

During execution, Eldorado ransomware logs its activities and communicates with the command and control server via WebSockets. To obscure its presence, it overwrites its own executable with random bytes before deleting it and removes shadow volume copies to prevent file recovery. This thorough approach to file encryption and system cleanup underscores the ransomware’s design to maximize disruption and complicate recovery efforts.

Ransom Note, Possible Ties

Similar to a classic ransomware operation, Eldorado ransomware leaves a text file titled “how to return or decrypt your files” in the Desktop and Documents folders. Interestingly, this ransom note is identical to one used by LostTrust ransomware, which has been inactive for some time.

Dropped files of how to return your data (Any.run)

Dropped files of how to return your data (Any.run)

It’s believed that the LostTrust group was a spin-off from a ransomware operation called MetaEncryptor. This suggests a possible connection between these operations. It’s also worth noting that ransomware actors, many of whom are based in Russia, often share tactics and tools, sometimes even assisting each other, creating a legacy of shared methods.

LostTrust’s ransom note is identical to Eldorado’s

LostTrust’s ransom note is identical to Eldorado’s

Another notable detail is that some Eldorado ransomware samples are detected by antivirus programs as Snatch malware. This may be due to its Golang codebase, but further investigation is needed. Additionally, when examining samples in open-source sources, it’s important to note that the infamous Eldorado Trojan, which shares the same name, can be confused with the ransomware samples used in this operation.

What are the Targets of Eldorado Ransomware?

According to their data leak site (DLS), since its emergence, Eldorado ransomware has impacted 15 companies across various countries and industries. The majority of these attacks, 11 out of 15, have been in the United States. Italy has seen two attacks, while the Republic of the Congo and Croatia have each experienced one attack.

Targeted countries so far

Targeted countries so far

The ransomware group’s most targeted sectors include Construction with three attacks, Education with two attacks, and Manufacturing, Information, Professional, Scientific & Technical Services, Telecommunications, Retail, Administrative and Support Services, Business Services, Amusement & Recreation Services, Administrative Services, and Transportation, each with one attack.

Targeted industries so far

Targeted industries so far

How to Protect Yourself Against Eldorado Ransomware?

As cyber threats continue to evolve, organizations must adopt a multifaceted approach to cybersecurity, especially in defending against ransomware attacks like Eldorado. Leveraging advanced security tools and implementing proactive strategies are imperative in fortifying digital defenses.

Anti-Malware Solutions: Implementing advanced anti-malware software is essential in combating Eldorado ransomware. These tools use signature-based detection, heuristic analysis, and machine learning algorithms to identify and block known and emerging ransomware variants. Coupled with Endpoint Detection and Response (EDR) solutions, organizations can enhance real-time threat detection and response capabilities.

Security Audits and Vulnerability Management: Conducting routine security audits and vulnerability assessments is critical to identifying and addressing potential security gaps within an organization’s infrastructure. By systematically evaluating network configurations, system settings, and application vulnerabilities, organizations can proactively remediate weaknesses exploited by Eldorado ransomware attackers.

Authentication and Access Controls: Enforcing strong authentication mechanisms like Multi-Factor Authentication (MFA) and implementing stringent access controls significantly enhances user account security and mitigates the risk of unauthorized access. This adds an extra layer of protection against Eldorado ransomware attacks targeting user credentials.

Comprehensive Backup and Disaster Recovery Planning: Developing a robust Backup and Disaster Recovery (BDR) plan is essential in mitigating the impact of Eldorado ransomware attacks and ensuring business continuity. Regular backup schedules for critical data, both onsite and offsite, along with backup testing and data recovery drills, validate the effectiveness of the BDR plan and ensure timely restoration of operations in case of an attack.

Dark Web Monitoring: Utilize SOCRadar’s Advanced Dark Web Monitoring to track unauthorized data transfers, detect PII exposures, and monitor dark web channels for potential threats related to Eldorado ransomware.

For further information about protection against ransomware, also check out our blog post titled “How to Detect & Prevent Ransomware Attacks (2024 CISO Edition).”

How Can SOCRadar Help?

Understanding the tactics and strategies of ransomware groups like Eldorado is crucial for organizations looking to bolster their cybersecurity defenses. Implementing robust mitigation measures and staying vigilant are key steps in combating these threats effectively.

SOCRadar’s Attack Surface Management includes a specialized Ransomware Check function designed to help organizations protect against ransomware attacks, including those orchestrated by groups like Eldorado. Our platform empowers you to proactively monitor potential attack vectors, detect suspicious activities, and take preemptive actions to safeguard your digital assets.

SOCRadar Attack Surface Management with ransomware check function

SOCRadar Attack Surface Management with ransomware check function

By leveraging SOCRadar’s intelligence-driven solutions, you can gain insights into threat actors’ methods and vulnerabilities, enabling you to fortify your cybersecurity posture. Our continuous monitoring and timely alerts ensure that you stay ahead of potential threats, allowing for swift responses and enhanced overall defense against ransomware and other cyber threats.

Integrating SOCRadar into your cybersecurity framework adds an additional layer of protection, helping you mitigate the risks posed by ransomware groups like Eldorado and ensuring the resilience of your organization’s security defenses.

Conclusion

In summary, the Eldorado ransomware group, emerging in March 2024(?), has quickly become a significant threat in the cyber landscape. Operating as a Ransomware-as-a-Service (RaaS) platform, Eldorado targets both VMware ESXi and Windows systems, expanding its reach and impact. Its technical sophistication, use of Golang, and ability to encrypt files with Chacha20 and RSA-OAEP highlight its capabilities.

The group’s recruitment efforts on forums and its potential connections to other ransomware groups like LostTrust and MetaEncryptor suggest a deeper, collaborative underground network. To combat this evolving threat, organizations must adopt advanced cybersecurity measures, including anti-malware solutions, regular security audits, strong authentication protocols, comprehensive backup plans, and dark web monitoring.

What are the TTPs of Eldorado Ransomware?

Below are the known and possible TTPs of Eldorado Ransomware operation, due to its being a RaaS the TTPs of the threat actors may expand and shrink inline with their capabilities.

Tactic Technique ID Technique Name Description
Initial Access T1190 Exploit Public-Facing Application Exploiting unpatched vulnerabilities in VMware ESXi servers to gain initial access.
Execution T1059.001 Command and Scripting Interpreter: PowerShell Utilizing PowerShell scripts for execution on Windows systems.
Persistence T1078 Valid Accounts Gaining access using stolen credentials for persistent or initial access.
Privilege Escalation T1068 Exploitation for Privilege Escalation Possibly exploiting vulnerabilities to gain higher privileges on the system.
Defense Evasion T1027 Obfuscated Files or Information Overwriting its own executable with random bytes before deletion.
Credential Access T1552 Unsecured Credentials Possibly searching for and obtaining passwords or hashes to use in further attacks.
Discovery T1018 Remote System Discovery Identifying remote systems and services for potential targets.
Lateral Movement T1021.001 Remote Desktop Protocol Possible use of RDP to move laterally within the network.
Collection T1074.001 Data Staged: Local Data Staging Staging data locally before exfiltration.
Exfiltration T1041 Exfiltration Over C2 Channel Exfiltrating data through command and control channels.
Impact T1486 Data Encrypted for Impact Encrypting files on the infected systems using Chacha20 and RSA-OAEP.
Impact T1490 Inhibit System Recovery Removing shadow volume copies to prevent file recovery.

For the IoCs please refer to SOCRadar Platform’s Ransomware Intelligence.

MITRE ATT&CK TTPs – created by AI

  • Initial AccessT1190: Exploit Public-Facing Application
    • Exploiting unpatched vulnerabilities in VMware ESXi servers to gain initial access.
  • ExecutionT1059.001: Command and Scripting Interpreter: PowerShell
    • Utilizing PowerShell scripts for execution on Windows systems.
  • PersistenceT1078: Valid Accounts
    • Gaining access using stolen credentials for persistent or initial access.
  • Privilege EscalationT1068: Exploitation for Privilege Escalation
    • Possibly exploiting vulnerabilities to gain higher privileges on the system.
  • Defense EvasionT1027: Obfuscated Files or Information
    • Overwriting its own executable with random bytes before deletion.
  • Credential AccessT1552: Unsecured Credentials
    • Possibly searching for and obtaining passwords or hashes to use in further attacks.
  • DiscoveryT1018: Remote System Discovery
    • Identifying remote systems and services for potential targets.
  • Lateral MovementT1021.001: Remote Desktop Protocol
    • Possible use of RDP to move laterally within the network.
  • CollectionT1074.001: Data Staged: Local Data Staging
    • Staging data locally before exfiltration.
  • ExfiltrationT1041: Exfiltration Over C2 Channel
    • Exfiltrating data through command and control channels.
  • ImpactT1486: Data Encrypted for Impact
    • Encrypting files on the infected systems using Chacha20 and RSA-OAEP.
  • ImpactT1490: Inhibit System Recovery
    • Removing shadow volume copies to prevent file recovery.

Source: Original Post