InfoSecBulletin Cybersecurity for mankind
A new ransomware named Eldorado appeared in March and has locker versions for VMware ESXi and Windows. The gang has claimed 16 victims, mostly in the U.S., in various sectors including real estate, education, healthcare, and manufacturing.
Researchers from Group-IB observed the activity of Eldorado. They found that the operators of Eldorado were advertising their harmful service on RAMP forums and looking for experienced affiliates to join their program.
Intel PC, laptop and server processors affected for 6 years: Report
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
Microsoft Patch Tuesday May 2025: 72 flaws, 5 Actively Exploited Zero-Day
OTP glitch disrupted NID services across the country
Google to pay Texas $1.4 billion for location tracking practices
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Encrypting Windows and Linux:
Eldorado is a ransomware that can encrypt both Windows and Linux platforms. The researchers got an encryptor from the developer. The user manual says that there are 32/64-bit versions for VMware ESXi hypervisors and Windows.
Group-IB says that Eldorado is a unique development “and does not rely on previously published builder sources.”
The malware uses the ChaCha20 algorithm to encrypt files, with a unique 32-byte key and 12-byte nonce for each file. These keys and nonces are then encrypted using RSA with the Optimal Asymmetric Encryption Padding (OAEP) scheme.
Files are given a new extension “.00000001” after being encrypted. Ransom notes named “HOW_RETURN_YOUR_DATA.TXT” are placed in the Documents and Desktop folders.
Eldorado encrypts network shares using the SMB protocol to maximize its impact and deletes shadow volume copies on compromised Windows machines to prevent recovery.
The ransomware skips DLLs, LNK, SYS, and EXE files, as well as files and directories related to system boot and basic functionality to prevent rendering the system unbootable/unusable.
Finally, it’s set by default to self-delete to evade detection and analysis by response teams.
The researchers from Group-IB discovered that affiliates can personalize their attacks. They can choose specific directories to encrypt and avoid encrypting local files. Moreover, they can target network shares on certain subnets and make sure the malware cannot delete itself. Linux only allows customization up to setting encryption directories.
