According to the Vietnam Cyber ​​Emergency Response Center - VNCERT/CC under the Department of Information Security (Ministry of Information and Communications), Eldorado is a new type of ransomware as a service - RaaS, which appeared in March and comes with variants for VMware ESXi virtual manager and Windows operating system.

Group-IB has been monitoring Eldorado's activities and found that the operators of this ransomware group have been promoting the malicious service on the RAMP forum in search of skilled members to participate in cyberattack campaigns.

VNCERT/CC added that the Eldorado malware is written in the Go programming language, capable of encrypting both Windows and Linux operating systems through two separate variants with broad operational similarities.

Group-IB’s research also found that the malware uses the ChaCha20 algorithm for encryption. After the encryption stage, files are appended with the extension “.00000001” and a ransom note named “HOW_RETURN_YOUR_DATA.TXT” is placed in the Documents and Desktop folders.

Eldorado also encrypts network shares using the SMB communication protocol to maximize its impact and deletes shadow copies of drives on compromised Windows machines to prevent recovery. Furthermore, the malware is set to self-destruct by default, in an attempt to avoid detection and analysis by response teams.

Regarding the level of danger of Eldorado, VNCERT/CC said: This malware is capable of encrypting files on both Windows and VMware ESXi systems, disrupting the operation of servers and workstations; this can lead to inaccessibility of important data and services, disrupting business operations. "Targeting VMware ESXi, Eldorado can shut down and encrypt virtual machines, disrupting the operation of the entire virtualization infrastructure," VNCERT/CC representative added.

In fact, the VMware ESXi virtual manager and Windows operating system are quite popular in Vietnam. Therefore, to ensure information security for the unit's information system, contributing to ensuring the safety of Vietnam's cyberspace, VNCERT/CC recommends some steps that administrators need to implement.

Specifically, administrators of information systems of agencies, organizations, and enterprises using VMware ESXi and Windows need to deploy multi-factor authentication as well as credential-based access solutions; use EDR system security monitoring to quickly identify and respond to indicators of ransomware; and regularly back up data to minimize damage and data loss.

Along with that, administrators are also advised to use AI-based analysis solutions and advanced malware detection technology to detect and respond to intrusions in real time; focusing on periodically updating security patches to fix system vulnerabilities.

In addition to paying attention to propaganda and training staff on how to recognize and report cybersecurity threats, agencies, organizations and businesses are also recommended to conduct annual technical audits or security assessments.