InfoSecBulletin Cybersecurity for mankind
A new ransomware named Eldorado appeared in March and has locker versions for VMware ESXi and Windows. The gang has claimed 16 victims, mostly in the U.S., in various sectors including real estate, education, healthcare, and manufacturing.
Researchers from Group-IB observed the activity of Eldorado. They found that the operators of Eldorado were advertising their harmful service on RAMP forums and looking for experienced affiliates to join their program.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Encrypting Windows and Linux:
Eldorado is a ransomware that can encrypt both Windows and Linux platforms. The researchers got an encryptor from the developer. The user manual says that there are 32/64-bit versions for VMware ESXi hypervisors and Windows.
Group-IB says that Eldorado is a unique development “and does not rely on previously published builder sources.”
The malware uses the ChaCha20 algorithm to encrypt files, with a unique 32-byte key and 12-byte nonce for each file. These keys and nonces are then encrypted using RSA with the Optimal Asymmetric Encryption Padding (OAEP) scheme.
Files are given a new extension “.00000001” after being encrypted. Ransom notes named “HOW_RETURN_YOUR_DATA.TXT” are placed in the Documents and Desktop folders.
Eldorado encrypts network shares using the SMB protocol to maximize its impact and deletes shadow volume copies on compromised Windows machines to prevent recovery.
The ransomware skips DLLs, LNK, SYS, and EXE files, as well as files and directories related to system boot and basic functionality to prevent rendering the system unbootable/unusable.
Finally, it’s set by default to self-delete to evade detection and analysis by response teams.
The researchers from Group-IB discovered that affiliates can personalize their attacks. They can choose specific directories to encrypt and avoid encrypting local files. Moreover, they can target network shares on certain subnets and make sure the malware cannot delete itself. Linux only allows customization up to setting encryption directories.
