Eldorado, a burgeoning ransomware-as-a-service (RaaS) organization, offers locker variations for encrypting files on Windows and Linux systems.

Eldorado initially emerged on March 16, 2024, when an affiliate program advertisement was placed on the ransomware site RAMP, according to Group-IB, headquartered in Singapore.

The cybersecurity firm that penetrated the ransomware gang stated that its representative speaks Russian and that the malware does not overlap with previously released strains like LockBit or Babuk.

“The Eldorado ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption,” researchers Nikolay Kichatov and Sharmine Low explained. “It can encrypt files on shared networks using the Server Message Block (SMB) protocol.”

Eldorado’s encryptor comes in four formats: esxi, esxi_64, win, and win_64. Its data leak site already lists 16 victims as of June 2024. Thirteen of the targets are in the United States, two in Italy, and one in Croatia.

You might be interested in: Managed Detection and Response (MDR): What is it?

These organizations operate in a variety of industry sectors, including real estate, education, professional services, healthcare, and manufacturing.

Further investigation of the Windows version of the artifacts revealed the usage of a PowerShell command to overwrite the locker with random bytes before deleting the file in an attempt to clear traces.

Eldorado is the most recent addition to the list of new double-extortion ransomware players, which also includes Arcus Media, AzzaSec, dan0n, Limpopo (aka SOCOTRA, FORMOSA, SEXi), LukaLocker, Shinra, and Space Bears, demonstrating the threat’s enduring and persistent nature.

LukaLocker, attributed to an operator known as Volcano Demon by Halcyon, is unusual for not using a data leak site and instead calling the victim over the phone to extort and negotiate money after encrypting Windows workstations and servers.

The development coincides with the discovery of new Linux variants of Mallox (aka Fargo, TargetCompany, and Mawahelper) ransomware, as well as decryptors for seven different builds.

Mallox is known to spread by brute-force attacks on Microsoft SQL servers and phishing emails targeting Windows computers, with latest breaches additionally use PureCrypter, a.NET-based loader.

“The attackers are using custom Python scripts for the purpose of payload delivery and victim information exfiltration,” Uptycs researchers Tejaswini Sandapolla and Shilpesh Trivedi explained. “The malware encrypts user data and appends .locked extension to the encrypted files.”

Avast has also released a decryptor for DoNex and its predecessors (Muse, Fake LockBit 3.0, and DarkRace) that exploits a vulnerability in the cryptographic system. The Czech cybersecurity business stated that it has been “silently providing the decryptor” to victims in collaboration with law enforcement groups since March 2024.

“Despite law enforcement efforts and increased security measures, ransomware groups continue to adapt and thrive,” the bank added.

According to data given by Malwarebytes and NCC Group based on victims reported on leak sites, 470 ransomware assaults occurred in May 2024, up from 356 in April. LockBit, Play, Medusa, Akira, 8Base, Qilin, and RansomHub claimed responsibility for the vast majority of attacks.

“The ongoing development of new ransomware strains and the emergence of sophisticated affiliate programs demonstrate that the threat is far from being contained,” the group said. “Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate the risks posed by these ever-evolving threats.”