1.0 Introduction
Eldorado is a Ransomware-as-a-Service platform, meaning it allows cybercriminals to easily deploy ransomware attacks without needing extensive technical expertise. The creators of Eldorado provide a user-friendly interface, complete with customer support, making it accessible to a broader range of malicious actors. This model not only increases the frequency of ransomware attacks but also the variety, as different attackers might use the service for different targets and purposes.
2.0 Impacts
The impacts of Eldorado Ransomware are:
- Data loss: Encrypted files become inaccessible to users.
- Operational Disruption: Critical systems and operations can be halted.
- Extortion by the hackers for financial gain.
- Data leakage if the victim does not comply.
3.0 Targeted Country and Industry
3.1 Affected Countries
-
United States
- Number of Attacks: 13
-
Italy
- Number of Attacks: 2
-
Croatia
- Number of Attacks: 1
3.2 Affected Industries
-
Real Estate
- Number of Attacks: 3
-
Education
- Number of Attacks: 2
-
Professional Services
- Number of Attacks: 2
-
Health Care
- Number of Attacks: 2
-
Manufacturing
- Number of Attacks: 2
-
Messaging and Telecommunications
- Number of Attacks: 1
-
Business Services
- Number of Attacks: 1
-
Administrative Services
- Number of Attacks: 1
-
Transportation
- Number of Attacks: 1
-
Government and Military
- Number of Attacks: 1
4.0 Indicator of Compromised (IOCs)
All encrypted files will have the extension “
.00000001
”. During the locking process, the following logs are printed to the console. Here is an example of the output logs when we tried encrypting a single directory.
Figure 1: Console logs during encryption
A ransom note titled “ HOW_RETURN_YOUR_DATA.TXT ” will be written in the Documents and Desktop folder, containing instructions for contacting the TA. The filename and text for the ransom note can be customized during the building process.
Figure 2: Eldorado ransomnote
Figure 3: Screenshot of DLS of Eldorado Ransomware
5.0 Technical Details
Eldorado is designed to be versatile and efficient. It can target both Windows and Linux systems, expanding its reach significantly. The ransomware is typically delivered via phishing emails, malicious advertisements, or exploit kits. Once a system is infected, Eldorado encrypts all the files, rendering them inaccessible to the user. The victim is then presented with a ransom note demanding payment in cryptocurrency to decrypt the files.
Eldorado ransomware is written in Golang, chosen for its cross-platform capabilities and ability to produce native, self-contained binaries. This allows the ransomware to efficiently target multiple operating systems, including Windows (32bit and 64bit) and Linux (32bit and 64bit).
File Encryption Process
Encryption Extensions:
- All encrypted files are given the extension .00000001.
Console Logs:
- During the encryption process, Eldorado prints specific logs to the console. For instance, when encrypting a directory, logs are generated to provide details about the encryption status.
Ransom Note :
- A ransom note titled HOW_RETURN_YOUR_DATA.TXT is created in the Documents and Desktop folders. This note contains instructions for victims to contact the attackers, often including a URL for live chat.
Windows Version Details
Eldorado ransomware for Windows accepts several command line parameters:
- -path: Encrypts all files in the specified directory and its subdirectories. If not specified, all local disks are processed.
- -skip-local: Skips processing local files.
- -n <subnet>: Specifies network shares in CIDR format. Defaults to values from active network interfaces if not provided.
- -d <domain>: Specifies a domain.
- -u <username>: Specifies the username for SMB.
- -p <password>: Specifies the password for SMB.
- -skip-net: Skips processing network shares.
- -keep: Disables self-deletion after execution.
Configuration Blob:
- The binary contains a gzip-compressed configuration blob with fields such as public key, note name, note text, and domain admin password or hash.
Network Activity
- Logs are sent to 173.44.141[.]152 via WebSockets, with the Origin header set to http://logger.
Encryption Algorithm
- Chacha20: Used to encrypt files. For each file, a 32-byte key and a 12-byte nonce are generated.
- RSA-OAEP: Used to encrypt the generated key and nonce. The public key embedded in the ransomware's configuration encrypts the key and nonce, which are then appended to the end of each file.
Clean-Up Mechanisms
- File Overwriting: Eldorado uses a PowerShell script to overwrite the encryptor with random bytes before deleting it, unless the -keep argument is specified.
- Shadow Volume Copies Removal: Executes the command vssadmin delete shadows /all /quiet to delete shadow volume copies, preventing file recovery through Windows backup mechanisms.
6.0 Recommendations
CyberSecurity recommends users to apply the following mitigations to reduce the risk of compromised by Eldorado ransomware:
6.1 Recommendations for System Administrators:
- Organisations must proactively monitor and screen for compromised credentials potentially due to Infostealers infection. Infostealers could be part of a bigger attack like ransomware. Hence, compromised credentials must be immediately rectified by changing the passwords to strong passwords.
- Implementing password revocation to enforce password changing.
- Encourage employees to use secure password managers and longer passphrases, avoid using the same password for multiple accounts and set reminders to change passwords after several months.
- Use multi-factor authentication to identify and protect the businesses' critical assets and access to critical information systems.
- Restrict access authorisations according to user roles and develop authorisation policy to secure idle accounts; automatically lock accounts and alert IT staff after several failed login attempts.
- Review Active Directory (AD) to locate and close existing backdoors such as compromised service accounts, which often have administrative privileges and are often targeted by attackers who aim to steal credentials.
- Update security patches and antivirus software regularly.
- Perform Data backups daily and test regularly. Place backup copies in a remote location.
- Conduct IS awareness training for all staff at least once a year.
- Do not download suspicious files from an unknown sender.
- Conduct Disaster Recovery Plan review and update, if necessary.
- Conduct Business Continuity Plan review and update, if necessary.
6.2 Recommendations for Internet users:
- Users should use strong and unique passwords.
- Users should use secure passwords for the network.
- Users should be wary of phishing attempts and must not simply click on any links or executables they receive via social media and other messaging applications.
- Users should practice safe browsing and backup data regularly.
- Users should download software or applications from reputable sources.
- Users should be wary and suspicious of applications circulated on social media for downloads.
- Enable and use up-to-date anti-virus software.
- Do regular security updates and patches.
- Contact relevant authorities such as CyberSecurity Malaysia for inquiries and assistance related to cyber threats or suspicious activities users observe online.
- Users are also encouraged to report to the Service Providers or the social media platform concerning the circulation of posts or ads with suspicious links.
Generally, CyberSecurity Malaysia advises users to be updated with the latest security announcements and follow best security practices to protect against ransomware attacks.
For further enquiries or to report an incident, please contact us through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web:
https://www.mycert.org.my
7.0 References