Ransomware is a threat to many organizations and businesses in Vietnam and around the globe. In the first half of 2024, Vietnam witnessed ransomware attacks which caused losses and interrupted online services of agencies, institutions and businesses in the fields of securities, energy, telecommunications and logistics.

VNCERT/CC, an arm of the Authority of Information Security (AIS), said Eldorado is a type of RaaS (ransomware as a service) which first appeared in March, associated with variants for the VMware ESXi virtual manager and Windows operating system.

Researchers of Group-IB watched Eldorado operations and found that ransomware attacks of this kind advertised the toxic service on the RAMP forum and sought individuals who have high skills in participating in cyberattacks.

According to VNCERT/CC, Eldorado is written with Go programming language, which can encrypt all Windows and Linux operating systems via two separate variants with similarities and a large sphere of operation.

Group-IB also pointed out that the toxic software uses ChaCha20 algorithms to encrypt data. After the encryption, files are appended with “.00000001” extension and ransom notes named “HOW_RETURN_YOUR_DATA.TXT” put in Documents and Desktop folders.

Eldorado also encrypts network shares using SMB communication protocol to maximize its impact, and deletes shadow copies on compromised Windows machines to prevent recovery. Also, the malware is set to delete by default, to avoid detection and analysis.

VNCERT/CC said the malware can encrypt files on both Windows and VMware ESXi systems, interrupting the operations of servers and workstations, thus making it impossible to access important data and services, which causes business disruptions.

Targeting VMware ESXi, Eldorado can turn off and encrypt virtual machines, causing interruptions to the entire virtual infrastructure.

VMware ESXi and Windows are popular in Vietnam.

To ensure security for information systems, VNCERT/CC has recommended actions that administrators need to implement.

Information system administrators belonging to agencies, organizations, and businesses using VMware ESXi and Windows need to use multi-factor authentication and access solutions based on authenticated information; and use EDR (Endpoint Detection and Response) to quickly identify and respond to indicators about ransomware software. Also, it is necessary to back up data regularly to minimize data damage and loss.

Administrators have been advised to use AI-based analytics solutions and advanced malware detection technology to discover and respond to real-time intrusions.

Van Anh