An emerging ransomware-as-a-service (RaaS) operation called Eldorado has surfaced, featuring locker variants designed to encrypt files on both Windows and Linux systems.
Eldorado made its first appearance on March 16, 2024, when an advertisement for its affiliate program was posted on the ransomware forum RAMP, according to Singapore-headquartered cybersecurity firm Group-IB.
The firm, which infiltrated the ransomware group, noted that its representative is a Russian speaker and that the malware does not share code with previously leaked strains such as LockBit or Babuk.
“The Eldorado ransomware uses Golang for cross-platform capabilities, employing Chacha20 for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption,” researchers Nikolay Kichatov and Sharmine Low reported. “It can encrypt files on shared networks using the Server Message Block (SMB) protocol.”
Eldorado’s encryptor comes in four formats: esxi, esxi_64, win, and win_64. As of June 2024, its data leak site listed 16 victims, with 13 located in the U.S., two in Italy, and one in Croatia. These companies span various industry sectors including real estate, education, professional services, healthcare, and manufacturing.
Further analysis of the Windows version revealed the use of a PowerShell command to overwrite the locker with random bytes before deleting the file, an attempt to clean up traces.
Eldorado joins a growing list of new double-extortion ransomware players such as Arcus Media, AzzaSec, dan0n, Limpopo (also known as SOCOTRA, FORMOSA, SEXi), LukaLocker, Shinra, and Space Bears, underscoring the persistent nature of the threat.
LukaLocker, operated by a group dubbed Volcano Demon by Halcyon, is notable for not using a data leak site. Instead, it calls the victim to extort and negotiate payment after encrypting Windows workstations and servers.
This development coincides with the discovery of new Linux variants of the Mallox (also known as Fargo, TargetCompany, Mawahelper) ransomware and the release of decryptors for seven different builds.
Mallox is typically spread by brute-forcing Microsoft SQL servers and phishing emails targeting Windows systems. Recent attacks have used a .NET-based loader named PureCrypter.
“The attackers are using custom Python scripts for payload delivery and victim information exfiltration,” noted Uptycs researchers Tejaswini Sandapolla and Shilpesh Trivedi. “The malware encrypts user data and appends a .locked extension to the encrypted files.”
A decryptor has been made available for DoNex and its predecessors (Muse, fake LockBit 3.0, and DarkRace) by Avast, leveraging a flaw in the cryptographic scheme. Avast has been “silently providing the decryptor” to victims since March 2024 in partnership with law enforcement.
“Despite law enforcement efforts and increased security measures, ransomware groups continue to adapt and thrive,” Group-IB said.
Data from Malwarebytes and NCC Group shows that 470 ransomware attacks were recorded in May 2024, up from 356 in April. Most attacks were claimed by LockBit, Play, Medusa, Akira, 8Base, Qilin, and RansomHub.
“The ongoing development of new ransomware strains and the emergence of sophisticated affiliate programs demonstrate that the threat is far from being contained,” Group-IB noted. “Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate the risks posed by these ever-evolving threats.”
 operation called Eldorado has surfaced, featuring locker variants designed to encrypt files on both Windows and Linux systems.Eldorado made its first appearance on March 16, 2024, when an advertisement for its affiliate program was posted on the ransomware forum RAMP, according to Singapore-headquartered cybersecurity firm Group-IB.){kind=link}