Eldorado Ransomware (a2ad5253-e31b-432c-804d-971be8652344)
This object reflects the ATT&CK Techniques associated with binaries of Eldorado, a ransomware-as-a-service ("RaaS") first observed in March 2024.[Group-IB July 3 2024] A small number of Techniques associated with threat actors who deploy Eldorado can be found in the "Eldorado Ransomware Operators" Group object.
Eldorado is written in the cross-platform Golang language. A custom "builder" allows threat actors to create both Windows- and Linux-focused versions of the ransomware. Researchers indicate that the Linux version has a relatively simple set of capabilities, lacking any native discovery, defense evasion, or other common post-exploit abilities common in many modern (Windows) ransomware. The operator must have access to the target system(s) and must provide a target directory path, after which the ransomware will recursively loop through the files within that path and encrypt them (T1486).[Group-IB July 3 2024]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Eldorado Ransomware Operators (26e1c52e-0c48-4cd0-bdc5-9cf981a6e714) | Tidal Groups | Eldorado Ransomware (a2ad5253-e31b-432c-804d-971be8652344) | Tidal Software | 1 |