back to article Eldorado ransomware-as-a-service gang targets Linux, Windows systems

A ransomware-as-a-service operation dubbed “Eldorado” that encrypts files on both Linux and Windows machines has infected at least 16 organizations – primarily in the US – as of June. Singaporean security shop Group-IB first spotted the criminal gang in March 2024, when it spotted it advertising an affiliate program and …

  1. Snake Silver badge

    No method of infection actually mentioned in the article. Email phishing? Network vulnerability probing? Zero day leveraging?

    Inquiring minds need to know.

  2. Pascal Monett Silver badge

    "encrypts files on both Linux and Windows machines"

    Wait a minute. I accept that the scumware can encrypt files on Linux, but won't that be limited to the files of the user ?

    Unless </headsmack> they've found a privilege escalation hack, of course. But will said privilege escalation hack function on all distros ? I'm guessing not.

    Could some Linux aficionados enlighten me on this ? Linux has actual security. How is this possible ?

    1. bombastic bob Silver badge
      FAIL

      Re: "encrypts files on both Linux and Windows machines"

      /me guesses - well known user name, default password, allows ssh login as root, and by default has 'sudo' with no password and can run any privileged application...

      This would point to a default setup problem. Like RPi OS maybe?

      (sad but true)

      1. This post has been deleted by its author

      2. that one in the corner Silver badge

        Re: "encrypts files on both Linux and Windows machines"

        > This would point to a default setup problem. Like RPi OS maybe? (sad but true)

        Really, really hoping anyone who is exposing a R'Pi has at least changed the default login setup.

        Otherwise - is this this the sort of thing they call "a teachable moment" at BOFH school?

      3. zimzam

        Re: "encrypts files on both Linux and Windows machines"

        I find it weird that from day one we've been told to not use administrator accounts as regular users, yet no operating system actually tells you to make a standard account during installation.

        1. CAPS LOCK

          Re: "encrypts files on both Linux and Windows machines"

          >no operating system actually tells you to make a standard account during installation

          FreeBSD

          1. Alan Brown Silver badge

            Re: "encrypts files on both Linux and Windows machines"

            Most linux distros too

        2. Claptrap314 Silver badge

          Re: "encrypts files on both Linux and Windows machines"

          Let's see... That would be WIndows (consumer OS) for at least five years. Ubuntu for longer. Devuan. Mint. That's 100% of my sample set.

          I'm trying to remember if my router setup did. I know getting if off 192.168.0.0/24 was a major pain, though...

    2. may_i Silver badge

      Re: "encrypts files on both Linux and Windows machines"

      The clue is in the fact that some access broker will have needed to establish a domain administrator's hash or password. You can make Linux servers part of a Windows AD domain. Once they are members of the domain, administrator access is going to give the ransomware all the access it needs to encrypt every file.

      1. UCAP Silver badge

        Re: "encrypts files on both Linux and Windows machines"

        Access will be limited to the files accessible on the shares, and only those that the user (who is effectively running the malware) has read-write access to. A half-way competent BOFH will have the shares locked down to minimise access. Of course an incompetent/lazy BOFH will have the shares wide open to everyone ...

        1. Anonymous Coward
          Anonymous Coward

          Re: "encrypts files on both Linux and Windows machines"

          An incompetent/lazy BOFH will be running Windows. Game over.

    3. Anonymous Coward
      Anonymous Coward

      Re: "encrypts files on both Linux and Windows machines"

      Isn't the whole point to encrypt the user files. They are the one's that can't be easily replaced. You can download a new copy of the OS, so there's no point encrypting system files.

      1. Anonymous Coward
        Anonymous Coward

        Re: "encrypts files on both Linux and Windows machines"

        You want to encrypt as many different users' files as possible - preferably including the the login under which the database server is running. And the separate login for email server, the one for the other important server...

        You *ought* to be able to recover (most of) the data from a random human user's files: source code back to the last commit, Word docs back to last snapshot of the home directory.

  3. Anonymous Coward
    Linux

    How does this malware gain a foothold on ones Linux computer?

    How does this malicious code execute itself on Linux systems without user action?

    All about Eldorado Ransomware: “The ransomware builder asked for the domain administrator’s password .. There are Eldorado versions for Windows .. and Linux .. For Linux, the encryptor is simple and supports only the -path argument. It will only recursively walk through files in the specified directory.

    1. Doctor Syntax Silver badge

      Re: How does this malware gain a foothold on ones Linux computer?

      It's a bit vague. Presumably it relies on a leaked UserID/password combination. Maybe the malware author has limited Unix/Linux knowledge.

      1. Anonymous Coward
        Linux

        Re: How does this malware gain a foothold on ones Linux computer?

        > It's a bit vague. ..

        Apparently, Eldorado requires a default local user account and achieves root by exploiting a bug (CVE-2021-4034) in the polkit pkexec binary. Already patched.

    2. Anonymous Coward
      Anonymous Coward

      Re: How does this malware gain a foothold on ones Linux computer?

      So basically it uses the fact that you control access to a reasonably secure platform from a system that, well, isn't.

      Quelle surprise..

  4. Nameless Dread

    Re: How does this malware gain a foothold on ones Linux computer?

    Please excuse the ignorance - Does a router, e.g. a domestic / BT router, offer any protection against such intrusions ?

    Email phishing, Network vulnerability probing, Zero day leveraging were mentioned above.

    1. Anonymous Coward
      Boffin

      Re: How does this malware gain a foothold on ones Linux computer?

      > Does a router, e.g. a domestic / BT router, offer any protection against such intrusions ?

      By default your ISP has remote access to your router. Remove the default image and install your own. That way a generic hack shouldn't work on your modem.

      1. CAPS LOCK

        Re: How does this malware gain a foothold on ones Linux computer?

        > Remove the default image and install your own.

        OpenWRT on my BT Home Hub 5A

      2. Anonymous Coward
        Anonymous Coward

        Re: How does this malware gain a foothold on ones Linux computer?

        Or have the ISP's modem (which has router capabilities) connected to a router you bought yourself.

        My old ISP (CenturyLink):

        1. Had a port on the modem that allowed them full access for reconfiguring

        2. Did not tell their tech support this (Tier 1 or 2)

        3. Left the port accessible to the internet at large, instead of dropping attempts to connect to it at the ISP edge

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like