Eldorado: A New Ransomware Targeting ESXi VMs
Background
Researchers have noticed a consistent rise in ransomware attacks against VMware ESXi infrastructure and other virtualized systems in recent years. Although virtualization systems are an essential part of an organization’s IT infrastructure, they frequently have built-in flaws and vulnerabilities, making them a profitable target for malicious actors to exploit.
This is not the first time we have talked about attacks on ESXi. In the previous blogs, we have mentioned how the Linux variant of the Targetcompany ransomware has been attacking ESXi systems and we have also discussed protecting ESXI VMs from the ransomware attacks.
Link to the previous blogs:
- https://www.hawk-eye.io/2024/06/the-linux-variant-of-targetcompany-ransomware-targets-esxi-environments/
- https://www.hawk-eye.io/2023/01/protecting-vmware-esxi-hypervisors-from-ransomware/
In this blog, we will discuss a new ransomware-as-a-service (RaaS) operation named Eldorado that has emerged, targeting VMware ESXi and Windows systems.
Technical Details
Eldorado has two malware versions in its arsenal: Windows and Linux. However, this work is unique, as it does not rely on previously disclosed builder materials. For example, on September 21, 2022, the LockBit 3.0 ransomware constructor was leaked, allowing multiple threat actors to generate their versions and carry out several high-profile attacks leveraging the ransomware’s strong encryption and evasion capabilities. Similarly, on September 1, 2021, the Babuk ransomware source code was published, resulting in the development of several ransomware strains by various entities to infect and exfiltrate data from targeted networks. Notable examples include the LIMPOPO ransomware group (also known as SOCOTRA, FORMOSA, or SEXi), BabLock malware, and Estate ransomware.
Eldorado ransomware leverages Golang for cross-platform functionality, Chacha20 for file encryption, and Rivest Shamir Adleman-Optimal Asymmetric Encryption Padding (RSA-OAEP) for key encryption. It may encrypt files on shared networks via the Server Message Block (SMB) protocol. Key parameters for customization during the development include target networks or company names, ransom letter contents, and admin credentials.
Eldorado encrypts network shares via SMB and deletes shadow volume copies from infected Windows computers to cause the most damage. To keep systems functional, the ransomware avoids encrypting system-critical files and folders, and it defaults to self-delete to avoid discovery. Affiliates can customize their attacks by specifying folders to encrypt and target network shares, especially on Windows devices
vssadmin delete shadows /all /quiet
As of June 2024, 16 firms from various countries and industries had been affected by Eldorado ransomware attacks, with companies in the United States being attacked 13 times, accounting for 81.25% of the overall number of occurrences. There was additional evidence of two attacks
Italy (12.5%), and one in Croatia (6.25%).
Real estate is the most targeted industry, with three attacks, accounting for 18.75% of the total. Education, Professional Services, Health Care, and Manufacturing are all hit, with two attacks each (12.5%). Furthermore, Messaging and Telecommunications, Business Services, Administrative Services, Transportation, and Government and Military each received one attack (6.25%).
Ransom Note
To the board of directors.
Your network has been attacked through various vulnerabilities found in your system.
We have gained full access to the entire network infrastructure.
All your confidential information about all employees and all partners and developments
has been downloaded to our servers and is located with us.
+-+-+-+-+-+-+-+-+-+-+-+-+-+
Our team has an extensive background in legal and so called white hat hacking.
However, clients usually considered the found vulnerabilities to be minor and poorlyr
paid for our services.
So we decided to change our business model. Now you understand how important it isr
to allocate a good budget for IT security.
This is serious business for us and we really don’t want to ruin your privacy,r
reputation and a company.
We just want to get paid for our work whist finding vulnerabilities in various networks.
Your files are currently encrypted with our tailor made state of the art algorithm.
Don’t try to terminate unknown processes, don’t shutdown the servers, do not unplug drives,
all this can lead to partial or complete data loss.
We have also managed to download a large amount of various, crucial data from your network.
A complete list of files and samples will be provided upon request.
We can decrypt a couple of files for free. The size of each file must be no more than 5 megabytes.
All your data will be successfully decrypted immediately after your payment.
You will also receive a detailed list of vulnerabilities used to gain access to your network.
+-+-+-+-+-+-+-+-+-+-+-+-+-+
If you refuse to cooperate with us, it will lead to the following consequences for your company:
- All data downloaded from your network will be published for free or even sold
- Your system will be re-attacked continuously, now that we know all your weak spotsr
- We will also attack your partners and suppliers using info obtained from your network
- It can lead to legal actions against you for data breaches
+-+-+-+-+-+-+-+-+-+-+-+-+-+
!!!!Instructions for contacting our team!!!!
+-+-+-+-+-+-+-+-+-+-+-+-+-+
—> Download and install TOR browser from this site : hxxps://torproject.org
—> For contact us via LIVE CHAT open our website : *********
—> If Tor is restricted in your area, use VPN
—> All your Data will be published in 7 Days if NO contact made
—> Your Decryption keys will be permanently destroyed in 3 Days if no contact made
—> Your Data will be published if you will hire third-party negotiators to contact us
Recommendations
- The most crucial measure businesses can take to safeguard themselves against ransomware attacks on VMware ESXi environments is to develop a strong backup and disaster recovery plan. Your ability to swiftly roll back your virtual machines and hypervisors to a previous state in the event of a ransomware attack depends on how frequently you back them up. It’s crucial to routinely test your backups to make sure they can be successfully restored.
- Next, make sure that your ESXi hypervisors and virtual machines are updated with the most recent security fixes. This can offer further protection against ransomware attacks and assist in addressing identified flaws.
- To safeguard your virtual machines from ransomware, you should also think about adopting endpoint protection software. This kind of software is intended to find malware and stop it from running on a virtual machine. Additionally, it’s critical to employ firewalls to stop any potential ransomware-related incoming and outgoing network traffic.
- Putting the least privilege principle into practice can also help shield your virtual machines (VMs) from ransomware attacks. Giving users the least amount of access essential to do their jobs is what this entails. As a result, it will be harder for an attacker to spread ransomware throughout your system and prevent unauthorized access to VMs.
- Another excellent strategy for safeguarding your virtual machines against ransomware is network segmentation. It can help to contain the spread of an attack by separating certain components of your network.
- You must train your staff in ransomware protection in order to safeguard VMware ESXi hosts. When performing their duties, employees of your firm need to be aware of potential dangers, the negative outcomes such threats may cause, and how to foresee and avoid those outcomes.
- Last but not least, routine security audits can assist in locating any potential flaws in your ESXi hypervisors. You may take action to address vulnerabilities and lower your chance of a successful ransomware attack by quickly identifying them
IOCs
1375e5d7f672bfd43ff7c3e4a145a96b75b66d8040a5c5f98838f6eb0ab9f27b
7f21d5c966f4fd1a042dad5051dfd9d4e7dfed58ca7b78596012f3f122ae66dd
cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7
b2266ee3c678091874efc3877e1800a500d47582e9d35225c44ad379f12c70de
dc4092a476c29b855a9e5d7211f7272f04f7b4fca22c8ce4c5e4a01f22258c33
173.44.141[.]152