News: 1720510150

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Eldorado ransomware-as-a-service gang targets Linux, Windows systems

(2024/07/09)


A ransomware-as-a-service operation dubbed “Eldorado” that encrypts files on both Linux and Windows machines has infected at least 16 organizations – primarily in the US – as of June.

Singaporean security shop Group-IB [1]first spotted the criminal gang in March 2024, when it spotted it advertising an affiliate program and malware that comes in Linux and Windows 32 bit and 64 bit versions. The criminal gang is also seeking penetration testers to join the operation and spread the malicious code.

Group-IB's intelligence analyst Nikolay Kichatov and malware analyst Sharmine Low infiltrated Eldorado and concluded the malware-slinger’s representative was a native Russian speaker after finding colloquial terms in ads posted to the RAMP ransomware forum.

[2]

Eldorado crew advertises a locker and a loader, but what's unusual about this malware is that it does not use any previously published builder sources – such as the LockBit 3.0 ransomware that was [3]leaked in September 2022, or the Babuk source code that was [4]made public a year earlier.

[5]

[6]

Eldorado ransomware is written in Go, likely for its cross-platform capabilities. It uses the Chacha20 algorithm for file encryption and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption, according to Group-IB's Low. Plus, it uses Server Message Block (SMB) protocol to encrypt files on shared networks, we're told.

Once affiliates join the ransomware-as-a-service operation, they are allowed chat-only access to victims, and can generate ransomware samples after providing the following customization parameters: the targeted network or company's name, file name for the ransom note and text, and either the domain administrator's password or hash.

[7]

An encryptor, obtained by Group-IB analysts, is available in four formats: esxi, esxi_64, win, and win_64.

Additionally, the Windows version uses a PowerShell command to overwrite the encryptor with random bytes before it deletes the file, which also helps remove any traces of the malware.

[8]Avast secretly gave DoNex ransomware decryptors to victims before crims vanished

[9]Cancer patient forced to make terrible decision after Qilin attack on London hospitals

[10]Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown

[11]Ransomware scum who hit Indonesian government apologizes, hands over encryption key

"As of June, 2024, 16 companies across various countries and industries have suffered the Eldorado ransomware attacks, with companies in the US attacked 13 times, contributing up to 81.25 percent of the total number of incidents," Kichatov and Low wrote, adding that two victims were based in Italy and one in Croatia.

Real estate companies suffered three attacks, while education, professional services, healthcare, and manufacturing each experienced two ransomware infections. Other industries hit include telecoms, business services, administrative services, transportation, government, and military orgs.

"Although relatively new and not a rebrand of well-known ransomware groups, Eldorado has quickly demonstrated its capability within a short period of time to inflict significant damage to its victims' data, reputation, and business continuity," according to the Group-IB duo.

[12]

In their write-up, they also listed the Eldorado ransomware Onion domain, along with file and network indicators of compromise, plus other technical details of the malware.

While Eldorado may be one of the newest ransomware-as-a-service outfits, Group-IB spotted 27 ads for similar service operations on various cyber-crime forums between 2022 and 2023. Last year alone, the number of ads seeking ransomware affiliates increased 1.5 times compared to the previous 12 months. ®

Get our [13]Tech Resources



[1] https://www.group-ib.com/blog/eldorado-ransomware/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zo0KPu@eIPMoaCk3qbqTpwAAAAY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://www.theregister.com/2024/02/22/lockbit_dismantled_new_variant/

[4] https://www.theregister.com/2024/01/09/babuk_tortilla_decryptor_arrests/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zo0KPu@eIPMoaCk3qbqTpwAAAAY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zo0KPu@eIPMoaCk3qbqTpwAAAAY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zo0KPu@eIPMoaCk3qbqTpwAAAAY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/07/08/avast_secretly_gave_donex_ransomware/

[9] https://www.theregister.com/2024/07/05/qilin_impacts_patient/

[10] https://www.theregister.com/2024/07/04/europol_cobalt_strike_crackdown/

[11] https://www.theregister.com/2024/07/04/hackers_of_indonesian_government_apologize/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zo0KPu@eIPMoaCk3qbqTpwAAAAY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://whitepapers.theregister.com/



Snake

No method of infection actually mentioned in the article. Email phishing? Network vulnerability probing? Zero day leveraging?

Inquiring minds need to know.

"encrypts files on both Linux and Windows machines"

Pascal Monett

Wait a minute. I accept that the scumware can encrypt files on Linux, but won't that be limited to the files of the user ?

Unless they've found a privilege escalation hack, of course. But will said privilege escalation hack function on all distros ? I'm guessing not.

Could some Linux aficionados enlighten me on this ? Linux has actual security. How is this possible ?

Re: "encrypts files on both Linux and Windows machines"

bombastic bob

/me guesses - well known user name, default password, allows ssh login as root, and by default has 'sudo' with no password and can run any privileged application...

This would point to a default setup problem. Like RPi OS maybe?

(sad but true)

Re: "encrypts files on both Linux and Windows machines"

that one in the corner

> This would point to a default setup problem. Like RPi OS maybe? (sad but true)

Really, really hoping anyone who is exposing a R'Pi has at least changed the default login setup.

Otherwise - is this this the sort of thing they call "a teachable moment" at BOFH school?

Re: "encrypts files on both Linux and Windows machines"

may_i

The clue is in the fact that some access broker will have needed to establish a domain administrator's hash or password. You can make Linux servers part of a Windows AD domain. Once they are members of the domain, administrator access is going to give the ransomware all the access it needs to encrypt every file.

Re: "encrypts files on both Linux and Windows machines"

UCAP

Access will be limited to the files accessible on the shares, and only those that the user (who is effectively running the malware) has read-write access to. A half-way competent BOFH will have the shares locked down to minimise access. Of course an incompetent/lazy BOFH will have the shares wide open to everyone ...

Re: "encrypts files on both Linux and Windows machines"

Anonymous Coward

An incompetent/lazy BOFH will be running Windows. Game over.

Re: "encrypts files on both Linux and Windows machines"

Anonymous Coward

Isn't the whole point to encrypt the user files. They are the one's that can't be easily replaced. You can download a new copy of the OS, so there's no point encrypting system files.

Re: "encrypts files on both Linux and Windows machines"

Anonymous Coward

You want to encrypt as many different users' files as possible - preferably including the the login under which the database server is running. And the separate login for email server, the one for the other important server...

You *ought* to be able to recover (most of) the data from a random human user's files: source code back to the last commit, Word docs back to last snapshot of the home directory.

How does this malware gain a foothold on ones Linux computer?

t245t

How does this malicious code execute itself on Linux systems without user action?

[1]All about Eldorado Ransomware : “ The ransomware builder asked for the domain administrator’s password .. There are Eldorado versions for Windows .. and Linux .. For Linux, the encryptor is simple and supports only the -path argument. It will only recursively walk through files in the specified directory. ”

[1] https://www.group-ib.com/blog/eldorado-ransomware/

Re: How does this malware gain a foothold on ones Linux computer?

Doctor Syntax

It's a bit vague. Presumably it relies on a leaked UserID/password combination. Maybe the malware author has limited Unix/Linux knowledge.

Re: How does this malware gain a foothold on ones Linux computer?

Anonymous Coward

So basically it uses the fact that you control access to a reasonably secure platform from a system that, well, isn't.

Quelle surprise..

Q: How many WASPs does it take to change a light bulb?
A: One.