Eldorado ransomware-as-a-service gang targets Linux, Windows systems

US orgs bear the brunt of attacks by probably-Russian crew

A ransomware-as-a-service operation dubbed “Eldorado” that encrypts files on both Linux and Windows machines has infected at least 16 organizations – primarily in the US – as of June.

Singaporean security shop Group-IB first spotted the criminal gang in March 2024, when it spotted it advertising an affiliate program and malware that comes in Linux and Windows 32 bit and 64 bit versions. The criminal gang is also seeking penetration testers to join the operation and spread the malicious code.

Group-IB's intelligence analyst Nikolay Kichatov and malware analyst Sharmine Low infiltrated Eldorado and concluded the malware-slinger’s representative was a native Russian speaker after finding colloquial terms in ads posted to the RAMP ransomware forum.

Eldorado crew advertises a locker and a loader, but what's unusual about this malware is that it does not use any previously published builder sources – such as the LockBit 3.0 ransomware that was leaked in September 2022, or the Babuk source code that was made public a year earlier.

Eldorado ransomware is written in Go, likely for its cross-platform capabilities. It uses the Chacha20 algorithm for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption, according to Group-IB's Low. Plus, it uses Server Message Block (SMB) protocol to encrypt files on shared networks, we're told.

Once affiliates join the ransomware-as-a-service operation, they are allowed chat-only access to victims, and can generate ransomware samples after providing the following customization parameters: the targeted network or company's name, file name for the ransom note and text, and either the domain administrator's password or hash.

An encryptor, obtained by Group-IB analysts, is available in four formats: esxi, esxi_64, win, and win_64.

Additionally, the Windows version uses a PowerShell command to overwrite the encryptor with random bytes before it deletes the file, which also helps remove any traces of the malware.

"As of June, 2024, 16 companies across various countries and industries have suffered the Eldorado ransomware attacks, with companies in the US attacked 13 times, contributing up to 81.25 percent of the total number of incidents," Kichatov and Low wrote, adding that two victims were based in Italy and one in Croatia.

Real estate companies suffered three attacks, while education, professional services, healthcare, and manufacturing each experienced two ransomware infections. Other industries hit include telecoms, business services, administrative services, transportation, government, and military orgs.

"Although relatively new and not a rebrand of well-known ransomware groups, Eldorado has quickly demonstrated its capability within a short period of time to inflict significant damage to its victims' data, reputation, and business continuity," according to the Group-IB duo.

In their write-up, they also listed the Eldorado ransomware Onion domain, along with file and network indicators of compromise, plus other technical details of the malware.

While Eldorado may be one of the newest ransomware-as-a-service outfits, Group-IB spotted 27 ads for similar service operations on various cyber-crime forums between 2022 and 2023. Last year alone, the number of ads seeking ransomware affiliates increased 1.5 times compared to the previous 12 months. ®

More about


Send us news

Other stories you might like