Eldorado Ransomware: Threats, Recovery Strategies, and Prevention

Explore the emerging threat of Eldorado ransomware in our comprehensive guide. Learn about its encryption methods, recovery strategies, and preventive measures to protect your organization from this sophisticated cyber threat.

Eldorado ransomware emerged in March 2024 as a formidable player in the cybercrime landscape. This ransomware-as-a-service (RaaS) model, which allows people with little technical knowledge (affiliates) to spread the cyber threat, has quickly gained notoriety for its ability to target both Windows and Linux systems. It employs sophisticated encryption methods that pose significant risks to businesses across various sectors. 

With its unique customization capabilities, Eldorado allows affiliates to tailor their attacks for maximum impact. Understanding how this threat operates and how to respond effectively is essential for organizations. 

In this article, we will explore the intricacies of Eldorado ransomware, its history, operational methods, and best practices for prevention and recovery.

Eldorado history and variants

The Eldorado ransomware was first advertised on the RAMP forum, where its operators sought skilled affiliates to join their ranks. Since its inception, it has claimed at least 16 victims, predominantly in the United States, across sectors such as real estate, education, healthcare, and manufacturing. 

Its success is mainly attributed to its affiliates, who can customize attacks based on specific targets. This flexibility not only increases the likelihood of successful infections but also complicates organizations’ detection and response efforts.

How does Eldorado differ from other ransomware?

Proven Data experts discovered that Eldorado differs from other ransomware strains in its affiliate customization capabilities. Attackers can specify which directories to encrypt or skip, target network shares on specific subnets, and even prevent the malware from self-deleting. The ransomware utilizes a decompressed configuration structure that includes critical fields like RSA public keys and ransom note text, allowing attackers to tailor their operations effectively.

Also, unlike many ransomware strains that follow a one-size-fits-all approach, Eldorado’s customization options allow affiliates to tailor their attacks based on target vulnerabilities. This level of flexibility allows for tailored attacks that can maximize impact while minimizing the risk of detection. This means that organizations must remain vigilant and proactive in their cybersecurity strategies.

How to remove Eldorado ransomware

In an Eldorado ransomware infection, swift and methodical action to mitigate damage and recover data is crucial. Eldorado employs ChaCha20 encryption combined with RSA-OAEP (2048-bit) for securing files. Encryption involves a secure random number generator to create keys and nonces, and then files are encrypted in blocks. As a result, breaking the encryption is nearly impossible.

From a recovery perspective, it is noteworthy that Eldorado skips encryption for files located in specific directories, which can be advantageous during recovery efforts:

Directories Excluded from Encryption:

  • ProgramData
  • Program Files
  • Program Files (x86)
  • Application Data

Understanding these exclusions can help organizations identify potentially recoverable data amidst an attack.

Contact ransomware recovery service

Engaging with a professional ransomware recovery service should be your first step. Proven Data experts have the tools and experience to deal with ransomware incidents effectively. They can assess the situation, identify the variant involved, and guide whether data recovery is feasible without paying the ransom.

Apply your incident response plan

If your organization has an incident response plan (IRP), activate it immediately. This plan should include:

  • Isolate infected systems: Disconnect affected machines from the network to prevent further spread.
  • Assessment: Determine the extent of the infection and identify which files have been encrypted.
  • Communication: Inform relevant stakeholders about the incident while maintaining transparency with affected parties.

You can also contact our digital forensics and incident response (DFIR) team to understand how the attack happened and properly address it.

Recover data using a recent backup

Once you remove the ransomware from the network and systems, you can restore the data from a clean and recent backup.

After restoring data, verify that all systems are functioning correctly and that no remnants of the ransomware remain.

Remember to regularly backup your system, updating it according to data usage. This helps you avoid losing critical data due to incidents and cyber-attacks and reduces downtime.

How to identify Eldorado ransomware: main IOCs

IOCs (Indicators of Compromise) are digital traces left by attackers during a cyberattack. These clues, like file extensions, file hashes, and IP addresses, help identify malware or malicious activity. Technical knowledge might be needed to locate some IOCs, or you can use a ransomware ID to search for the strain that infected your machine and network. 

Monitoring network traffic for unusual patterns, particularly SMB traffic, can also indicate an ongoing Eldorado attack. Additionally, tracking processes associated with known Eldorado executables or unusual command-line arguments can aid in early detection.

Here are the key characteristics and artifacts to identify Eldorado ransomware and recognize its main Indicators of Compromise (IOCs):

  • File Extensions: Look for files ending in “.00000001”.
  • Ransom Note: Presence of “HOW_RETURN_YOUR_DATA.TXT” in user directories.
  • Network Traffic: Unusual SMB traffic patterns may indicate attempts to encrypt network shares.
  • Process Behavior: Monitor for processes associated with known Eldorado executables or unusual command-line arguments indicative of ransomware activity.

How Eldorado Ransomware Works

Understanding how Eldorado operates can help organizations defend against it more effectively.

1. Initial access

Eldorado typically gains initial access through methods such as phishing emails or exploiting vulnerabilities in exposed services. Once inside a network, it can move laterally using stolen credentials or unpatched vulnerabilities.

2. Command execution

Once executed, Eldorado creates mutexes to prevent multiple instances from running simultaneously. It accepts various command-line arguments that dictate its behavior during an attack.

It begins by decompressing its internal configuration and initializing global flags that guide its execution process. This includes setting up a logger channel to report execution updates back to an attacker-controlled server and aggregating system information that will be sent back through this channel.

3. File encryption

The ransomware scans specified directories or default system drives for files to encrypt. Before encryption, it attempts to lock files using Windows API calls to prevent access by other processes. 

Proven Data analysts discovered that Eldorado employs the ChaCha20 encryption algorithm to secure files. Each file generates a unique 32-byte key and a 12-byte nonce. These keys are then encrypted using RSA with Optimal Asymmetric Encryption Padding (OAEP). 

After encryption, files are appended with the “.00000001” extension.

The encrypted keys are then stored within each file. To evade detection, Eldorado is designed to delete itself after execution by overwriting its executable with random data.

After encryption is complete, a ransom note named  “HOW_RETURN_YOUR_DATA.TXT” is dropped in key user directories like Desktop and Documents.

4. Self-destruction mechanism

To eliminate traces of its presence after execution, Eldorado employs a PowerShell command that overwrites its executable with random data before deletion:

powershell

powershell.exe -c “$f=’C:\Users\Administrator.RECYCLERCORE\Desktop\encoder_win64.exe’;while(Test-Path -Path $f){$o=new-object byte[] 10485760;(new-object Random).NextBytes($o);[IO.File]::WriteAllBytes($f,$o);Remove-Item -Path $f;Sleep 1;}”

 5. Backup deletion

Eldorado also deletes all volume shadow copies using the following command:

powershell

vssadmin “delete shadows /all /quiet”

This action inhibits recovery efforts by removing potential backup sources.

How to prevent Eldorado ransomware attacks

Preventing cyber attacks is the only way to prevent your data from being stolen or encrypted. Not all of the following can prevent the Eldorado, but they can ensure data availability and business continuity and reduce downtime in case of ransomware attacks.

  • Implement Multi-Factor Authentication (MFA): This adds an extra layer of security against unauthorized access.
  • Regular Data Backups: Follow the 3-2-1 backup rule—three copies of data on two different media types with one off-site copy.
  • Endpoint Detection and Response (EDR): Utilize advanced EDR solutions that can detect anomalies indicative of ransomware activity in real-time.
  • Regular Security Patching: Ensure all systems are up-to-date with security patches to mitigate vulnerabilities that attackers could exploit.
  • Employee Training: Conduct regular training sessions on recognizing phishing attempts and other social engineering tactics cybercriminals use.
  • Incident Response Planning: Maintain an updated incident response plan that includes procedures for ransomware attacks specifically tailored to your organization’s needs.

What do you think?

Read more

Related Articles

Contact us

Leading experts on stand-by 24/7/365

If you suspect data loss or network breach, or are looking for ways to compile digital evidence through forensics and eDiscovery services – our team can help.

What we offer:

What happens next?

1

 Our expert advisor will contact you to schedule your free consultation.

2

You’ll receive a customized proposal or quote for approval.

3

Our specialized team immediately jumps into action, as time is critical.

Request a Free Consultation