Eldorado is a Russian-origin ransomware group operating a RaaS platform with locker variants for VMware ESXi and Windows, expanding its reach via affiliates. The analysis covers its origins, techniques, and potential links to other gangs, highlighting its Golang-based, cross-platform ransomware and dark-web activity. #Eldorado #RaaS #VMwareESXi #LostTrust #MetaEncryptor #RAMP #TOX
Keypoints
- Eldorado operates a Ransomware-as-a-Service platform with locker variants for VMware ESXi and Windows systems, enabling affiliates to use its toolkit.
- The group began recruiting affiliates on the RAMP forum around March 2024 and gained attention by June, signaling rapid expansion potential.
- It targets both Windows and Linux environments, widening its attack surface beyond a single OS.
- Technical details show Golang-based ransomware with WebSockets for C2, self-deletion of executables, and shadow copy removal to hinder recovery.
- Encryption uses ChaCha20 and RSA-OAEP, with per-file keys/nonces encrypted and appended to targeted files.
- There are suspected ties or parallels to other groups like LostTrust and MetaEncryptor, suggesting an underground ecosystem with shared methods.
- Impact data from the data leak site indicates 15 companies affected across the US, Italy, Congo, and Croatia, with various industries targeted.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploiting unpatched vulnerabilities in VMware ESXi servers to gain initial access. “Exploiting unpatched vulnerabilities in VMware ESXi servers to gain initial access.”
- [T1059.001] Command and Scripting Interpreter: PowerShell – Utilizing PowerShell scripts for execution on Windows systems. “Utilizing PowerShell scripts for execution on Windows systems.”
- [T1078] Valid Accounts – Gaining access using stolen credentials for persistent or initial access. “Gaining access using stolen credentials for persistent or initial access.”
- [T1068] Exploitation for Privilege Escalation – Possibly exploiting vulnerabilities to gain higher privileges on the system. “Possibly exploiting vulnerabilities to gain higher privileges on the system.”
- [T1027] Obfuscated Files or Information – Overwriting its own executable with random bytes before deletion. “Overwriting its own executable with random bytes before deletion.”
- [T1552] Unsecured Credentials – Possibly searching for and obtaining passwords or hashes to use in further attacks. “Possibly searching for and obtaining passwords or hashes to use in further attacks.”
- [T1018] Remote System Discovery – Identifying remote systems and services for potential targets. “Identifying remote systems and services for potential targets.”
- [T1021.001] Remote Desktop Protocol – Possible use of RDP to move laterally within the network. “Possible use of RDP to move laterally within the network.”
- [T1074.001] Data Staged: Local Data Staging – Staging data locally before exfiltration. “Staging data locally before exfiltration.”
- [T1041] Exfiltration Over C2 Channel – Exfiltrating data through command and control channels. “Exfiltrating data through command and control channels.”
- [T1486] Data Encrypted for Impact – Encrypting files on the infected systems using Chacha20 and RSA-OAEP. “Encrypting files on the infected systems using Chacha20 and RSA-OAEP.”
- [T1490] Inhibit System Recovery – Removing shadow volume copies to prevent file recovery. “Removing shadow volume copies to prevent file recovery.”
Indicators of Compromise
- [File] how to return or decrypt your files – Ransom note file left on victims’ Desktop and Documents folders
- [File] esxi, esxi_64, win, win_64 – Ransomware variants described in the article’s technical details
Read more: https://socradar.io/dark-web-profile-eldorado-ransomware/