July 9, 2024 at 12:43PM
Eldorado, a Go-based ransomware, targets Windows and VMware ESXi systems in the US across education, real estate, and healthcare. It offers an affiliate program, customizable attack techniques, and employs Golang for cross-platform capabilities. Its “living off the land” tactics make it evasive, while its ability to impact virtual machines poses a threat to business continuity.
Based on the meeting notes, the following key takeaways emerge regarding the Eldorado ransomware:
1. Eldorado Ransomware Overview:
– The ransomware, Eldorado, is a Go-based ransomware as a service (RaaS) that targets Windows and VMware ESXi environments, mainly in the US across education, real estate, and healthcare sectors, since March.
– It was first seen on the RAMP forum and advertised an affiliate program to attract skilled partners.
2. Technical Details:
– Eldorado enables affiliates to tailor their attacks, including specifying directories for encryption and targeting network shares on Windows (with limited Linux customization).
– It utilizes Golang for cross-platform capabilities, employing Chacha20 for file encryption and RSA-OAEP for key encryption.
– The ransomware can encrypt files on shared networks using Server Message Block (SMB) protocol and deletes shadow volume copies to prevent recovery.
3. Evasive Tactics:
– Eldorado utilizes native and legitimate tools available on infected systems, such as Windows WMI and PowerShell, to enhance its evasiveness.
– It is highly configurable in Windows and can be set to avoid critical system files to maintain system functionality.
4. Impact:
– The ransomware’s ability to shut down and encrypt virtual machines (VMs) before encrypting files could significantly impact business continuity and data availability.
5. Threat Actor Analysis:
– The developers of Eldorado are noted for their skills in ransomware coding, indicating potential financial backing.
– Organizations are advised to monitor this threat and share actionable intelligence to stay ahead of possible infections.
– Proactive defense measures include patching systems, using stronger forms of authentication, and monitoring for signs of this malware.
These takeaways provide a comprehensive understanding of the Eldorado ransomware threat and actionable insights for proactive defense and monitoring.