The Eldorado ransomware-as-a-service (RaaS) operation, first detected in March 2024 by Singaporean security firm Group-IB, has infected at least 16 organisations, with a significant impact in the US. Eldorado offers an affiliate program and malware versions for both Linux and Windows systems, leveraging the Go programming language for cross-platform capabilities. The ransomware uses the Chacha20 algorithm for file encryption and RSA-OAEP for key encryption, and it employs the SMB protocol for network file encryption. Affiliates can customise ransomware samples by specifying the target network, ransom note details, and domain administrator credentials. Eldorado's malware is distinct in that it does not use previously leaked builder sources and includes advanced techniques such as using PowerShell commands to delete traces of the malware. As of June 2024, Eldorado has affected multiple industries, with the majority of attacks occurring in the US.

Key Points:

• Eldorado RaaS operation targets both Linux and Windows systems.
• Group-IB identified the gang in March 2024, noting an affiliate program and cross-platform malware.
• Eldorado uses the Chacha20 algorithm for encryption and RSA-OAEP for key encryption.
• The gang seeks penetration testers to help spread the malware.
• Eldorado’s malware does not use previously leaked builder sources.
• Affiliates customise ransomware samples with specific target details.
• The Windows version uses PowerShell to delete malware traces.
• By June 2024, Eldorado infected 16 organisations, primarily in the US.
• The most affected industries include real estate, education, healthcare, and manufacturing.
• Group-IB provided technical details and indicators of compromise in their analysis.
• Technical Takeaway:
• Eldorado's unique approach, including its use of Go for cross-platform capabilities and advanced evasion techniques, highlights the evolving sophistication of ransomware-as-a-service operations and underscores the importance of robust cybersecurity measures across all operating systems.

Source and further reading.

Lyons, J. (2024, July 9). Eldorado ransomware-as-a-service gang targets Linux, Windows systems. theregister.com. https://www.theregister.com/2024/07/09/eldorado_ransomware_linux_windows/

The Hacker News. (n.d.). New Ransomware-as-a-Service “Eldorado” targets Windows and Linux systems. https://thehackernews.com/2024/07/new-ransomware-as-service-eldorado.html