New ransomware appears attacking Windows operating system

This malware has appeared since March and has had 16 victims, mainly in the US, operating in the real estate, education, healthcare and manufacturing sectors.

Eldorado is a new and completely independent ransomware. It uses the Go language for cross-platform attacks. This malware encrypts files using the ChaCha20 algorithm and generates a unique 32-byte key and a 12-byte nonce for each locked file. The keys are then encrypted using RSA-OAEP.

After encryption, the file will be renamed ".00000001" and a ransom note named 'HOW_RETURN_YOUR_DATA.TXT' will be added to the Documents and Desktop folders.

In particular, Eldorado has the ability to customize to attack specific directories. This malicious code is even installed by default in self-delete mode to avoid being detected by users and analyzed by incident response teams.

To prevent ransomware in general and Eldorado in particular, experts recommend that users urgently deploy the following defensive measures:

1. Implement a multi-factor authentication (MFA) solution and credential-based access.
2. Back up data regularly to minimize damage and avoid data loss.
3. Regularly update security patches to fix vulnerabilities.
4. Detect and prevent intrusions quickly using AI-based analytics and advanced malware detection solutions.
5. Quickly identify and respond to ransomware indicators using Endpoint Detection and Response (EDR).
6. Train employees to recognize and report cybersecurity threats.
7. Conduct regular and periodic technical audits or security assessments.
8. Refuse to pay the ransom because data recovery is difficult and could lead to more attacks.

Lesley Montoya

Update 10 July 2024