Security researchers have uncovered a new strain dubbed as Eldorado ransomware a RaaS, which has swiftly gained notoriety, targeting both Windows and VMware ESXi virtual machines.
Eldorado, written in the Go programming language, can encrypt files on both Windows and Linux platforms, making it a formidable adversary for organizations running mixed environments. The ransomware operates through two distinct variants, each tailored to exploit vulnerabilities specific to its target platform.
The Windows variant leverages known vulnerabilities and outdated software to infiltrate systems. It preys on end-of-general-support (EOGS) products, emphasizing the importance of timely updates. Once inside, Eldorado encrypts critical files, rendering them inaccessible until a ransom is paid.
The Linux-based variant exhibits sophisticated tactics. It can determine whether a victim’s machine runs in a VMware ESXi environment. By specifically targeting ESXi servers, ransomware actors aim to disrupt operations more effectively and increase their chances of a successful ransom payout.
Despite their distinct targets, both Eldorado variants share operational similarities. Eldorado employs robust encryption algorithms to lock victims’ files. The ransom note, often delivered as a text file, provides instructions for payment and decryption.
The ransomware developer provides an “encryptor” along with a user manual. This manual outlines the ransomware’s capabilities, including the availability of 32-bit and 64-bit variants for VMware ESXi hypervisors and Windows. The user-friendly approach underscores the ransomware’s commercial nature, emphasizing its status as a service offered to cybercriminals.
The gang behind Eldorado has already claimed 16 victims, primarily in the United States. To protect against Eldorado and similar threats, organizations should consider hardening, patch implementation, backup and recovery, and awareness.
Indicators of Compromise
- 1375e5d7f672bfd43ff7c3e4a145a96b75b66d8040a5c5f98838f6eb0ab9f27b
- 7f21d5c966f4fd1a042dad5051dfd9d4e7dfed58ca7b78596012f3f122ae66dd
- cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7
- b2266ee3c678091874efc3877e1800a500d47582e9d35225c44ad379f12c70de
- dc4092a476c29b855a9e5d7211f7272f04f7b4fca22c8ce4c5e4a01f22258c33
