Eldorado ransomware campaign found targeting Windows and Linux systems alike

A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
(Image credit: Getty Images)

There is a brand new player in the ransomware-as-a-service (RaaS) scene, and it’s called Eldorado.

Cybersecurity researchers Group-IB have been tracking the group for some time now, and have even obtained a version of the encryptor for analysis.

As per the researchers, Eldorado is not a rebrand of a previous threat actor, and probably has entirely new people running it. Most likely, it started its operation in March this year, as that is roughly the time the researchers saw the group advertise its services on the dark web and first called for skilled affiliates to join the program.

Customization options

The encryptor was built for Windows and Linux devices, and is also capable of targeting VMware ESXi hypervisors. Since March, it was able to claim 16 victims, mostly in real estate, education, healthcare, and manufacturing. 

The developers say Eldorado does not rely on previously published builder sources, and claim to have built the encryptor to offer some level of customization. On Linux, affiliates can choose which directories to encrypt, while on Windows, they can choose directories, skip local files, target network shares on specific subnets, and prevent the malware from self-destructing. 

Otherwise, its default setting is to self-delete and prevent security teams from running a post-mortem. 

The group also said it had a data leak site, but according to BleepingComputer, it is currently offline.

“Although relatively new and not a rebrand of well-known ransomware groups, Eldorado has quickly demonstrated its capability within a short period of time to inflict significant damage to its victims’ data, reputation, and business continuity,” Group-IB’s researchers wrote in their analysis. 

As with most other cyberattacks, a ransomware attack usually relies on a person clicking a malicious link, or running a malicious file locally, so the best protection against ransomware is to educate your employees on the dangers of phishing and social engineering attacks. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.