An emerging extortion-as-a-product (EAAP) scheme named Eldorado introduces lock varieties to cipher data on Windows and Linux networks.
Debuting on March 16, 2024, Eldorado was first promoted on the extortion forum RAMP, as reported by Group-IB headquartered in Singapore.
Following their infiltration of the extortion gang, the cybersecurity company noted that the representative of the group communicated in Russian and that the malicious software did not match previously divulged forms such as LockBit or Babuk.
“The Eldorado extortion scheme leverages Golang for broad system compatibility, utilizing Chacha20 for data ciphering and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key locking,” mentioned researchers Nikolay Kichatov and Sharmine Low in their statement. “It is capable of encrypting information on communal networks through the Server Message Block (SMB) protocol.”
There are four versions of the encryptor for Eldorado, specifically esxi, esxi_64, win, and win_64, with 16 June 2024 victims already documented on the data breach platform. Among these, thirteen entities are based in the U.S., two in Italy, and one in Croatia.
These organizations belong to various business sectors including property, education, consultancy, healthcare, and fabrication, among others.
An in-depth examination of the Windows edition has unveiled the adoption of a PowerShell directive to overwrite the lock with random bytes before eliminating the file to attempt covering tracks.
Joining the ranks of the latest dual-intimidation extortion actors that have emerged lately is Eldorado, along with Arcus Media, AzzaSec, dan0n, Limpopo (also known as SOCOTRA, FORMOSA, SEXi), LukaLocker, Shinra, and Space Bears, emphasizing once more the persistent and long-lasting nature of the menace.
LukaLocker, associated with an entity nicknamed Volcano Demon by Halcyon, stands out for not employing a data breach site but rather contacting victims by phone for intimidation and payment negotiations after locking down Windows machines and servers.
This development coincides with the unearthing of new Linux versions of Mallox (also recognized as Fargo, TargetCompany, Mawahelper) ransomware and the identification of decryptors related to seven distinct variations.
Mallox spreads by brute-forcing Microsoft SQL servers and phishing emails to target Windows systems, with recent infiltrations using a .NET-powered loading mechanism named PureCrypter.
“The attackers are employing specialized python scripts for delivering payloads and exfiltrating victim data,” mentioned Uptycs researchers Tejaswini Sandapolla and Shilpesh Trivedi in their statement. “The malware encrypts user data and appends .locked extension to the affected files.”
An unlocker has been released for DoNex as well as its forerunners (Muse, counterfeit LockBit 3.0, and DarkRace) by Avast exploiting a loophole in the encryption process. The Czech cybersecurity organization expressed that it has been discreetly distributing the unlocker to victims since March 2024 in collaboration with law enforcement agencies.
“Despite the initiatives of law enforcement and the reinforcement of security measures, ransomware factions persist in adapting and thriving,” Group-IB remarked.
Data furnished by Malwarebytes and NCC Group based on victims outlined on leak platforms reveal that in May 2024, there were 470 ransomware incidents documented, a rise from 356 in April. A majority of these incidents were attributed to LockBit, Play, Medusa, Akira, 8Base, Qilin, and RansomHub.
“The continual evolution of fresh ransomware variations and the advent of sophisticated partnership schemes assert that the menace is far from being controlled,” Group-IB pointed out. “Organizations should maintain a watchful eye and take proactive steps in their cybersecurity endeavors to minimize the hazards prompted by these perpetually changing threats.”
About Author
