Eldorado, a new ransomware-as-a-service (RaaS) group that emerged this spring targeting VMware ESX servers, is tied to 16 ransomware attacks as of June 2024 — 13 of which are in the United States.
In a July 3 blog post, Group-IB researchers said Eldorado targets the real estate, education, professional services, healthcare and manufacturing sectors. The ransomware was first posted on the “RAMP” forum in March 2024 and distributes versions of the ransomware in Windows and Linux.
The researchers also noted that Eldorado uses Golang (Go) for cross-platform capabilities, and employs ChaCha20 for file encryption, as well as RSA-optimal-asymmetric-encryption-padding (RSA-OAEP) for key encryption.
“Go programs’ ability to cross-compile code into native, self-contained binaries could be a reason why the malware authors favored developing in Golang,” the researchers noted.
Eldorado's ability to shut down and encrypt virtual machines before encrypting files significantly impacts business continuity and data availability, explained Callie Guenther, senior manager of threat research at Critical Start, and an SC Media columnist. Guenther said the focus on VMware ESXi underscores the evolving threat landscape where attackers increasingly target virtualized environments to maximize damage.
“Defenders should implement multi-factor authentication, endpoint detection and response solutions, regular data backups, timely patching, and continuous employee training,” said Guenther.
Jason Soroko, senior vice president of product at Sectigo, added that Eldorado’s evasiveness is enhanced by its “living-off-the-land” tactics, meaning that it uses tools that are already available on infected systems. Attackers can use Windows WMI and PowerShell to move laterally or encrypt resources, explained Soroko.
“Interestingly, Eldorado can be configured in Windows to not affect certain kinds of files that are critical for normal operation, such as DLLs,” said Soroko. “The Windows variant of this malware seems to be highly configurable, which is why we see different variations on the method of attack from the same malware.”
