Eldorado Ransomware Cruises Onto the Scene to Target VMware ESXi

  /     /     /  
Publicated : 23/11/2024   Category : security


Eldorado Ransomware Cruises Onto the Scene to Target VMware ESXi


The ransomware-as-a-service platform just rolled off the assembly line, also targets Windows, and uses Golang for cross-platform capabilities.



A Go-based ransomware as a service (RaaS) called Eldorado has been targeting Windows and VMware ESXi environments (mainly in the US across education, real estate, and healthcare sectors), since March.
The ransomware first appeared on the RAMP forum, distributing versions for Windows and Linux and advertising its affiliate program in the hopes of
luring skilled partners
to join the group, according to a report from Group-IB, which managed to infiltrate the operation.
The report noted that Eldorado allows affiliates to tailor their attacks, such as specifying directories to encrypt, and targeting network shares on Windows, while Linux customization is limited to setting directories for encryption.
They added that the developers are leveraging Go programs ability to cross-compile code into native, self-contained binaries.
The ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption,
wrote Group-IB researchers
. It can encrypt files on shared networks using Server Message Block (SMB) protocol.
The ransomware also deletes shadow volume copies to prevent recovery, avoids critical system files to maintain system functionality, and is set to self-delete to evade detection.
Jason Soroko, Sectigos senior vice president of product, says Eldorados evasiveness is enhanced by
living off the land
tactics, meaning it utilizes native and legitimate tools that are already available on infected systems.
Windows WMI and PowerShell are examples, he explains. These tools can be used to move laterally or encrypt resources.
He adds that Eldorado can be configured in Windows to not affect certain kinds of files that are critical for normal operation such as DLLs.
The Windows variant of this malware seems to be highly configurable, which is why we see different variations on the method of attack from the same malware, Soroko says.
He said the motivation behind the attack appears to be money at this point, with denial-of-service not considered to be a primary motivator. But Callie Guenther, senior manager of cyber threat research at Critical Start, says Eldorados ability to shut down and encrypt virtual machines (VMs) before encrypting files could significantly impact business continuity and data availability.
The focus on VMware ESXi underscores the evolving threat landscape where attackers increasingly target virtualized environments to maximize damage, she adds.
Ngoc Bui, cybersecurity expert at Menlo Security, says the ability to infect more than one OS is always noteworthy as it expands the attack reach.
However, its the combination of encryption methods and the creation of the ransomware from the ground up that is worth noting, he explains. This signals to me that they may have experienced skilled ransomware coders in their ranks.
He adds that these individuals likely came with a price, suggesting this gang might also have good resources behind it.
They will be worth watching in the following months to see what they are capable of, what they will actually do, and how many affiliates they can attract, Bui says.
He recommends organizations ensure their
threat intelligence analysts
are monitoring this gang and that they are sharing actionable intelligence with other business units to stay ahead of possible infections.
For proactive defense, make sure your systems are patched, use stronger forms of authentication and continue to monitor for the signs of this malware, Soroko advises.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Eldorado Ransomware Cruises Onto the Scene to Target VMware ESXi