Eldorado Ransomware Cruises Onto the Scene to Target VMware ESXi

This article originally appeared on Dark Reading.

A Go-based ransomware as a service (RaaS) called Eldorado has been targeting Windows and VMware ESXi environments (mainly in the US across education, real estate, and healthcare sectors), since March.

The ransomware first appeared on the RAMP forum, distributing versions for Windows and Linux and advertising its affiliate program in the hopes of luring skilled partners to join the group, according to a report from Group-IB, which managed to infiltrate the operation.

The report noted that Eldorado allows affiliates to tailor their attacks, such as specifying directories to encrypt, and targeting network shares on Windows, while Linux customization is limited to setting directories for encryption.

They added that the developers are leveraging Go programs' ability to cross-compile code into native, self-contained binaries.

"The ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption," wrote Group-IB researchers. "It can encrypt files on shared networks using Server Message Block (SMB) protocol."

The ransomware also deletes shadow volume copies to prevent recovery, avoids critical system files to maintain system functionality, and is set to self-delete to evade detection.

Related:Putting the Windows Credential Manager To Work for PowerShell Security

Eldorado Soups Up Living-off-the-Land Strategy

Jason Soroko, Sectigo's senior vice president of product, says Eldorado's evasiveness is enhanced by "living off the land" tactics, meaning it utilizes native and legitimate tools that are already available on infected systems.

"Windows WMI and PowerShell are examples," he explains. "These tools can be used to move laterally or encrypt resources."

He adds that Eldorado can be configured in Windows to not affect certain kinds of files that are critical for normal operation such as DLLs.

"The Windows variant of this malware seems to be highly configurable, which is why we see different variations on the method of attack from the same malware," Soroko says.

He said the motivation behind the attack appears to be money at this point, with denial-of-service not considered to be a primary motivator. But Callie Guenther, senior manager of cyber threat research at Critical Start, says Eldorado's ability to shut down and encrypt virtual machines (VMs) before encrypting files could significantly impact business continuity and data availability.

"The focus on VMware ESXi underscores the evolving threat landscape where attackers increasingly target virtualized environments to maximize damage," she adds.

Related:Ransomware Is Increasing. Protecting Active Directory Must Be Your Top Line of Defense.

An Ambitious Threat Actor With a Roadmap

Ngoc Bui, cybersecurity expert at Menlo Security, says the ability to infect more than one OS is always noteworthy as it expands the attack reach.

"However, it's the combination of encryption methods and the creation of the ransomware from the ground up that is worth noting," he explains. "This signals to me that they may have experienced skilled ransomware coders in their ranks."

He adds that these individuals likely came with a price, suggesting this gang might also have good resources behind it.

"They will be worth watching in the following months to see what they are capable of, what they will actually do, and how many affiliates they can attract," Bui says.

He recommends organizations ensure their threat intelligence analysts are monitoring this gang and that they are sharing actionable intelligence with other business units to stay ahead of possible infections.

For proactive defense, "make sure your systems are patched, use stronger forms of authentication and continue to monitor for the signs of this malware," Soroko advises.