According to the Vietnam Cyber Emergency Response Center (VNCERT/CC) under the Information Security Department ( Ministry of Information and Communications ), Eldorado is a new type of ransomware as a service (RaaS), which emerged in March and comes with variants for VMware ESXi virtual management system and Windows operating system.
Group-IB monitored Eldorado's activity and found that the operators of this ransomware attack group promoted their malicious service on the RAMP forum to recruit skilled members for cyberattack campaigns.
VNCERT/CC further stated that the Eldorado malware is written in the Go programming language and is capable of encrypting both Windows and Linux operating systems through two distinct variants with widely similar operation.
Group-IB's research also indicates that this malware uses the ChaCha20 algorithm for encryption. After the encryption phase, files are given the extension “.00000001” and a ransom note named “HOW_RETURN_YOUR_DATA.TXT” is placed in the Documents and Desktop folders.
Eldorado also encrypts network shares using the SMB communication protocol to maximize its impact and erases shadow disk copies on compromised Windows machines to prevent recovery. Furthermore, the malware is configured to self-delete by default, aiming to avoid detection and analysis by response teams.
Regarding the severity of Eldorado, VNCERT/CC stated: This malware is capable of encrypting files on both Windows and VMware ESXi systems, disrupting the operation of servers and workstations; this can lead to the inability to access critical data and services, disrupting business operations. “Targeting VMware ESXi, Eldorado can shut down and encrypt virtual machines, disrupting the operation of the entire virtualization infrastructure,” a VNCERT/CC representative added.
In fact, VMware ESXi virtual management system and Windows operating system are quite commonly used in Vietnam. Therefore, to ensure information security for the organization's information systems and contribute to ensuring the security of Vietnam's cyberspace, VNCERT/CC recommends several steps that administrators need to implement.
Specifically, administrators of information systems in agencies, organizations, and businesses using VMware ESXi and Windows need to implement multi-factor authentication as well as credentials-based access solutions; use the EDR system security monitoring feature to quickly identify and respond to indicators of ransomware; and back up data regularly to minimize damage and data loss.
In addition, administrators are advised to use AI-based analytics solutions and advanced malware detection technologies to detect and respond to intrusions in real time; and to focus on regularly updating security patches to fix system vulnerabilities.
In addition to focusing on raising awareness and training staff on how to identify and report cybersecurity threats, agencies, organizations, and businesses are also advised to conduct annual technical audits or security assessments.
Source: https://kinhtedothi.vn/canh-giac-voi-ma-doc-ma-hoa-du-lieu-moi.html
Comment (0)