Categories
Blog

ELDORADO RANSOMWARE: A RISING THREAT 

Home » Blog » ELDORADO RANSOMWARE: A RISING THREAT 

Eldorado ransomware: A rising threat 

A new ransomware gang has quickly made a name for itself for causing massive devastation, impacting operations, reputation, and inflicting critical damage to sensitive data of organizations worldwide.  

It goes by the name of Eldorado and was first discovered in March 2024 by a cybersecurity company, Group IB, through an advertisement on a forum on the dark web.   

Experts, upon closely monitoring the ransomware group, have observed that the ransomware builder highly impacts Windows, Linux, and other platforms.  

So far, it has caused havoc across industries, specifically finance, real estate, telecommunications, transportation, government & military, education, professional services, healthcare sector, and manufacturing sector. 

The difference between dark web and deep web is that dark web is 0.01% of the deep web, requiring even more specific codes, addresses, credentials, and software to access, like the Tor browser, which is software that makes users anonymously browse the internet through different layers of identities, also known as onion networks.  

What makes the ransomware dangerous? 

As per the experts, the ransomware-as-a-service doesn’t resemble any other kind of ransomware with a builder that doesn’t rely on previously leaked decryptors or source codes like LockBit 3 or Babuk ransomware source code. It offers dangerous capabilities to its affiliates, like the cross-platform capability that includes Windows and Linux, increasing the possibility of affecting more victims.  

With it, the affiliates get a powerful option to customize their ransomware as per their specific needs.  

It is a double extortion ransomware, much like Brain Cipher, Space Bears, and Shinra.  

It has recently gained increased popularity with a sudden spike in advertisements on the dark web forums. It offers its affiliates an option to customize admin credentials, names of the companies and networks to be targeted and details to be displayed in the ransom note.  

How does it work? 

Attackers using Eldorado ransomware use custom-crafted scripts in Python to deliver their payload for an effective data exfiltration of their victims.  

The ransomware encrypts the victim’s sensitive data and appends. lock extension, appending the files with .00000001 with a ransom note in their systems with details to contact the group for payment of ransom.  

It uses esxi, esxi_64, win, and win_64, generating 32-byte keys and a 12-byte nonce with a Chacha 20 encryptor. 

They use a PowerShell command to overwrite the locker with random bytes before deleting the files to clear their tracks. It uses Go language providing it with cross-platform capabilities. It uses the Server Message Blcok (SMB) protocol to encrypt files on shared networks.  

How to defend against the threat of ransomware? 

The following are some of the best practices on how to deal with a ransomware attack

Prevent

  • Implement anti-phishing measures 
  • Enable multi-factor authentication and restrict access based on zero trust 
  • Implement anti-ransomware mechanisms  
  • Follow the 3-2-1 rule for data backups  
  • Keep hardware and software patched with the latest security updates 

Respond  

  • Don’t make the mistake of panicking 
  • Follow the incident response procedures and start containment 
  • Perform a check to identify whether the attacker still has access to the systems 
  • Keep systems in a stable state  
  • Remove backups from infected systems 
  • Inform and coordinate with relevant parties 
  • Report the incident in detail to local enforcement agencies 

Recover 

  • Always avoid paying the ransom 
  • Explore whether there is a decryption key available for the said ransomware 
  • Take assistance of law enforcement and cybersecurity experts wherever needed 

Learn more about how to deal with ransomware attack  

To summarize  

A new ransomware-as-a-service named Eldorado has emerged since March 2024 impacting multiple organizations worldwide providing dangerous capabilities to their affiliates including cross platform capability increasing the number of victims that can be targeted.  

The evolution of tactics and techniques has overtaken the rising awareness and readiness against cyber threats, giving modern day attackers increased edge.  The rising cybersecurity skills shortage in cybersecurity only makes the matters worse.   

In a State of Ransomware report published by ransomware.org, over 56% of companies reported that they are more likely to become a target of ransomware attacks.  

It becomes critical to proactively prioritize readiness against ransomware through careful assessment of status quo posture for gaps and address them with the compliance recommended best practices.  

Services

Discover all the capabilities
of STRIEGO specific to your
organization here.

Explore More >

Latest Post

All
Blog

Leave a Reply

Your email address will not be published. Required fields are marked *