A newly surfaced ransomware-as-a-service (RaaS) venture known as Eldorado has introduced locker variations designed to encrypt files on both Windows and Linux platforms.
Eldorado made its debut on March 16, 2024, when an advertisement for its affiliate program appeared on the ransomware forum RAMP, as reported by Group-IB, headquartered in Singapore.
The cybersecurity firm, which managed to infiltrate the ransomware group, highlighted that the representative speaks Russian and clarified that Eldorado does not share characteristics with previously leaked strains such as LockBit or Babuk.
“Eldorado ransomware utilizes Golang to ensure cross-platform functionality, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption,” explained researchers Nikolay Kichatov and Sharmine Low. “It is capable of encrypting files on shared networks using the Server Message Block (SMB) protocol.”
The encryptor for Eldorado is available in four versions: esxi, esxi_64, win, and win_64, with its data leak site already documenting 16 victims as of June 2024. Thirteen of these victims are based in the U.S., two in Italy, and one in Croatia.
The targeted entities span various sectors including real estate, education, professional services, healthcare, and manufacturing.
Further examination of artifacts from the Windows edition revealed the utilization of a PowerShell command to overwrite the locker with random bytes before deleting the file, a method aimed at erasing traces of the attack.
Eldorado joins the roster of new double-extortion ransomware players that have emerged recently, including Arcus Media, AzzaSec, dan0n, Limpopo (also known as SOCOTRA, FORMOSA, SEXi), LukaLocker, Shinra, and Space Bears, underscoring the persistent and enduring nature of this threat.
LukaLocker, linked to an operator named Volcano Demon by Halcyon, stands out for its distinctive approach: it does not utilize a data leak site but instead contacts victims directly via phone to negotiate payments following the encryption of Windows workstations and servers.
This development coincides with the discovery of new Linux variants of Mallox (also known as Fargo, TargetCompany, Mawahelper) ransomware, alongside decryptors associated with seven different builds.
Mallox is primarily spread through brute-forcing Microsoft SQL servers and phishing emails to target Windows systems. Recent infiltrations have also involved a .NET-based loader named PureCrypter.
“The attackers are employing custom python scripts for payload delivery and exfiltration of victim information,” remarked Uptycs researchers Tejaswini Sandapolla and Shilpesh Trivedi. “The malware encrypts user data and appends the .locked extension to encrypted files.”
Avast has provided a decryptor for DoNex and its predecessors (Muse, fake LockBit 3.0, and DarkRace) by exploiting a flaw in their cryptographic scheme. The Czech cybersecurity company has been discreetly offering this decryptor to victims since March 2024 in collaboration with law enforcement agencies.
“Despite efforts by law enforcement and enhanced security measures, ransomware groups continue to adapt and thrive,” observed Group-IB.
Data compiled by Malwarebytes and NCC Group, based on victims listed on leak sites, indicates a rise in ransomware attacks to 470 in May 2024, up from 356 in April. A significant proportion of these attacks were attributed to LockBit, Play, Medusa, Akira, 8Base, and Qilin.
“The ongoing evolution of new ransomware variants and the emergence of sophisticated affiliate programs underscore that this threat remains far from being contained,” emphasized Group-IB. “Organizations must maintain vigilance and proactive cybersecurity measures to mitigate the risks posed by these constantly evolving threats.”