There's a new player on the ransomware-as-a-service (RaaS) scene, and it's called Eldorado.
Cybersecurity researchers Group-IB have been tracking the group for some time and have even obtained a version of the cryptor for analysis.
According to researchers, Eldorado is not a new brand of a previous threat actor, and is likely run by entirely new people. It most likely started operating in March of this year, as that is around the time when researchers saw the group advertising its services on the dark web and first calling for qualified affiliates to join the program.
Customization options
The encryptor was created for Windows and Linux devices, and is also capable of attacking VMware ESXi hypervisors. Since March, it has claimed 16 victims, mainly in the real estate, education, healthcare and manufacturing sectors.
The developers claim that Eldorado does not rely on previously published build sources and claim to have built the encryptor to offer some level of customization. On Linux, affiliates can choose which directories to encrypt, while on Windows they can choose directories, skip local files, target network shares on specific subnets, and prevent the malware from self-destructing.
Otherwise, its default setting is to automatically delete itself and prevent security teams from performing a post-mortem.
The group also said it had a data leak site, but according to BleepingComputer, it is currently offline.
“Although relatively new and not a new brand of well-known ransomware groups, Eldorado has quickly demonstrated its ability in a short period of time to inflict significant damage to its victims’ data, reputation and business continuity,” Group-IB researchers wrote in their analysis.
As with most other cyberattacks, a ransomware attack typically relies on a person clicking on a malicious link or executing a malicious file locally, so the best protection against ransomware is to educate your employees about the dangers of phishing and social engineering attacks.