Researchers are warning of a ransomware-as-a-service group called Eldorado, which has developed and deployed a “highly effective” ransomware builder used to target both Windows and Linux systems.
The ransomware group was first discovered in March 2024 in an underground forum for ransomware-as-a-service advertisements called RAMP, after posting about its affiliate program and advertising the availability of a locker and a loader. Upon further investigation, researchers with Group-IB found that as of June, 16 companies have been targeted by the group, with the majority (13) of those in the U.S. The group has targeted the real estate industry, as well as the education, professional services, healthcare and manufacturing sectors.
“Although relatively new and not a rebrand of well-known ransomware groups, Eldorado has quickly demonstrated its capability within a short period of time to inflict significant damage to its victims’ data, reputation, and business continuity,” said Nikolay Kichatov, cyber intelligence analyst with Group-IB, and Sharmine Low, malware analyst with Group-IB, in an analysis last week.
Eldorado’s ransomware builder is unique, and unlike other ransomware groups the threat actor does not rely on previously leaked, publicly available ransomware tools like the LockBit 3.0 ransomware or the Babuk ransomware source code. The ransomware uses the Go language, and has versions crafted for both Windows and Linux systems (with an encryptor available in four formats: esxi, esxi_64, win, and win_64).
“The choice of using the Go programming language could be due to its cross-platform capabilities,” said Kichatov and Low. “Go programs’ ability to cross-compile code into native, self-contained binaries could be a reason why malware authors favored developing in Golang.”
The ransomware is fairly straightforward during attacks, encrypting files with the extension “.00000001” and dropping a ransom note in victims’ Documents and Desktop folder with instructions to contact the threat actor. The ransomware uses Chacha20 to encrypt files and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption.
"For each file, it will generate a 32-byte key and 12-byte nonce, and encrypt the file using Chacha20," said researchers. "The key and nonce will be encrypted with RSA-OAEP with the embedded public key from the configuration, and appended to the end of each file... It can encrypt files on shared networks using Server Message Block (SMB) protocol. Key parameters for customization during the build include target networks or company names, ransom note details, and admin credentials.”
The emergence of Eldorado shows that despite law enforcement efforts to disrupt ransomware-as-a-service networks like BlackCat and Ragnar Locker, the threat remains a lucrative one for cybercriminals. Between 2022 and 2023, researchers with Group-IB said that they saw 27 ads for ransomware-as-a-service programs on underground forums. In 2023, the number of ads published in these forums that were searching for potential program participants has increased since 2022, which researchers said potentially highlights a growth in demand for affiliates.
“Despite the widespread awareness and ongoing discussions about the threat of ransomware, cybercriminals continue to find new and effective ways to attack various organizations,” said researchers with Group-IB. “The persistent evolution of ransomware tactics and strategies ensures that these malicious actors remain a formidable threat in the cybersecurity landscape.”