🚨 Releasing Samples of El Dorado Ransomware😈!
💡EL DORADO is a spin off of Lost Trust Ransomware 🧬
📌El Dorado is a new Ransomware Group came up recently, marking its presence with the "claim" of 15 Victims, but no data is leaked.Â
📌As any other Ransomware Ecosystem: Out of 15; 11 are from US 🇺🇸, 2 from Italy 🇮🇹 and 1 each from Congo 🇨🇬 & Croatia ðŸ‡ðŸ‡·.
📌El Dorado is hosted in an Apache Server.
📌From their domain name, it is found that the group uses Vanity names where "dataleak" keyword is present in their Onion Domain.
📌El Dorado's earliest infection can be traced to March 2024.
ANALYSIS
========
📌The file is sized at 5.42MB.
📌This infection campaign started/targeted for 12th May 2024.
📌Both of the samples are written in GO language.
📌Presence of Wine Emulator found.
📌Uses Powershell.
📌Checks for Debug Environment.
📌Capable to: Long Sleep, Self Delete, Shadow Volume Deletion.
📌In both cases, kernel32.dll are imported.
📌Uses RstrtMgr DLL which is used during ransomware campaigns to kill processes that would prevent file encryption by locking them (eg. Conti, LockBit, Cactus etc).
📌Detects usage of the "systeminfo" command to retrieve information.
📌GetTickCount: Retrieves the number of milliseconds that have elapsed since the system was started.
📌vssadmin.exe to remove all volume shadow copies in a single action.
📌how_return_your_data.txt: Ransom note Filename.
💡The same identical Ransom Note was used by Lost Trust back in 2023.
📌Created process are:
cmd.exe
chcp.com
systeminfo.exe
explorer.exe
NOTEPAD.EXE
📌Mutex Created:Â
SM0:2720:304:WilStaging_02
RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Lost Trust - Back Story 🧬
=================
📌LostTrust initially spotted in June 2023, but became popular in September 2023.
📌The group had infected about 53 Victims in 2023.
📌Lost Trust itself is the spin off of SFile, MetaEncryptor etc.Â
📌Currently the domain of LostTrust is offline.
IOC: El Dorado Ransomware
====================
TOR Domain: dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion
MD5: 9d1fd92ea00c6eef88076dd55cad611e
SHA-1: a108c142dba8c9af5236ec64fe5a1ce04c54a3fb
SHA-256: 8badf1274da7c2bd1416e2ff8c384348fc42e7d1600bf826c9ad695fb5192c74
MD5: 315a9d36ed86894269e0126b649fb3d6
SHA-1: caaa1f85dd333c9d19767b5de527152d5acbc2a4
SHA-256: cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7
IP: 173.44.141.152
Follow me on X/Twitter for more @RakeshKrish12