There’s a brand new player in the ransomware-as-a-service (RaaS) space: Eldorado.
Cybersecurity researchers Group-IB have been tracking the group for some time and have even obtained a version of the encryption tool for analysis.
According to the researchers, Eldorado is not a rebranding of a previous threat actor and is likely employing entirely new people. It likely began its operation in March of this year, as that is around the time that researchers began seeing the group offering its services on the dark web and first calling for skilled affiliates to join the program.
Customization options
The encryptor is built for Windows and Linux devices and can also target VMware ESXi hypervisors. Since March, it has claimed 16 victims, mainly in real estate, education, healthcare, and manufacturing.
The developers say that Eldorado does not rely on previously published builder sources and claim to have built the encryptor to offer a certain level of customization. On Linux, affiliates can choose which folders to encrypt, while on Windows they can choose folders, skip local files, target network shares on specific subnets, and prevent the malware from self-destructing.
Otherwise, the default is that the message deletes itself and security teams cannot perform a post-mortem.
The group also said there was a site with a data breach, but according to BleepingComputeris currently offline.
“Although Eldorado is relatively new and not a new name from any well-known ransomware groups, the company has demonstrated in a short period of time that it can cause significant damage to its victims’ data, reputation, and business continuity,” Group-IB researchers wrote in their analysis.
As with most other cyber attacks, a ransomware attack is usually based on clicking on a malicious link or locally executing a malicious file. The best protection against ransomware is therefore to educate your employees about the dangers of phishing and social engineering attacks.