LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile ElDorado

ElDorado Ransomware: Group Profile and VMware ESXi Targeting Analysis

ElDorado is a Rust-based ransomware-as-a-service operation that emerged in March 2024 with cross-platform capabilities targeting both Windows and VMware ESXi environments. Active through 2026, the group has claimed victims across finance, healthcare, real estate, and manufacturing.

By Ransomware Tracker ·
ElDoradoransomwareRaaSRustVMwareESXicross-platformLinuxWindowsSMBChaCha2020242026
Threat Level
8/10
Sectors Targeted
finance
healthcare
real-estate
manufacturing
education
legal
Ransomware Family
ElDorado

Overview

ElDorado is a ransomware-as-a-service (RaaS) operation that emerged publicly in March 2024, advertising affiliate positions on underground forums and listing its first victims on a dedicated data leak site. Distinguished by a Rust-based encryptor with native support for both Windows and VMware ESXi (Linux) environments, ElDorado was assessed by Group-IB researchers as a purpose-built operation rather than a rebrand of an existing group.

As of mid-2026, ElDorado has accumulated approximately 70+ confirmed victims across North America, Europe, and Asia-Pacific, with a notable concentration in the United States. The group has not attracted the same media attention as LockBit, RansomHub, or Akira, but maintains consistent activity levels and represents a technically capable mid-tier RaaS operation.


Technical Profile

Encryptor Architecture

ElDorado’s encryptor is written in Rust — the same language choice as LockBit 3.0 and Cicada3301, selected for performance, cross-platform compilation, and relative resistance to static analysis compared to C/C++ binaries.

Encryption scheme:

  • Algorithm: ChaCha20 for file content encryption; RSA-OAEP for key protection
  • Key generation: Unique encryption key pair generated per victim; public key embedded in the binary, private key held by the operator
  • Intermittent encryption: Partial-file encryption mode for large files (configurable threshold), used to accelerate encryption speed while maintaining practical unrecoverability
  • File extension: Appends a randomised extension (reported variants: .00000001 format, victim-specific alphanumeric strings)

Windows encryptor:

  • Enumerates local drives and mapped network shares
  • Uses SMB (via Windows API) to encrypt accessible network shares without needing additional tooling
  • Terminates common backup processes: Volume Shadow Copies (VSS) deleted via vssadmin.exe delete shadows /all /quiet
  • Targets common Windows database and backup file extensions: .sql, .bak, .mdb

Linux/ESXi encryptor:

  • Compiled for x86_64 Linux, specifically targeting VMware ESXi environments
  • Enumerates running VMs via ESXi-specific paths (/vmfs/volumes/)
  • Uses esxcli equivalent commands to gracefully shut down VMs before encrypting VMDK files — consistent with other professional RaaS groups targeting virtualisation
  • Encrypts .vmdk, .vmx, .vmxf, .nvram, .vmsn and related ESXi file types
  • Uses NFS share enumeration via /proc/mounts to extend reach to networked storage

Propagation and Lateral Movement

ElDorado affiliates have used standard enterprise attack paths:

  • RDP brute force and credential stuffing against exposed remote access services
  • Exploitation of VPN appliances (consistent with broader ransomware ecosystem patterns)
  • SMB lateral movement using stolen credentials after initial access
  • Cobalt Strike and similar post-exploitation frameworks observed in pre-encryption dwell period

The network share enumeration capability built into the Windows encryptor means the encryption phase itself extends lateral reach — a feature that reduces the need for manual share mapping by affiliates.


Victim Profile

Based on leak site analysis and independent reporting through mid-2026:

SectorApproximate % of Victims
Finance / professional services25%
Healthcare18%
Manufacturing15%
Real estate12%
Education10%
Legal8%
Other12%

Geographic distribution: Predominantly US-based victims (approximately 60%), with significant representation from Italy, Germany, and Spain. No confirmed Australian or UK victims in publicly documented cases, though leak sites frequently undercount actual compromise.

Victim size: Mixed — ElDorado affiliates have targeted organisations across the revenue spectrum from mid-market (50-500 employees) to large enterprise. The ESXi capability makes the group a relevant threat to any organisation running VMware-based virtualisation.


Ransom Demands and Extortion Model

ElDorado operates a dual-extortion model: data exfiltration before encryption, followed by ransom demands that include both decryption and non-publication of stolen data.

Observed ransom range: $200,000–$3 million USD, varying with victim revenue. The group is assessed to have a functional negotiation process and demonstrated willingness to discount demands for rapid payment.

Data leak site: The group operates a dedicated .onion leak site with victim countdown timers standard in the ecosystem. Data is published in stages — initial teaser samples released immediately, full archive released after deadline expiry.

Payment: Bitcoin and Monero accepted. Monero is preferred in affiliate communications for its enhanced privacy properties.


Affiliate Model

ElDorado recruits affiliates through closed underground forums, requiring demonstrated technical competency (unlike some lower-tier operations). The affiliate split is reported at approximately 80/20 (affiliate/operator), competitive with mid-tier RaaS operations but below RansomHub’s 90/10 industry-high.

The operation provides affiliates with:

  • Windows and Linux encryptor binaries (configurable at affiliate level)
  • Leak site infrastructure and victim management portal
  • Negotiation support from the operator side for large ransom demands
  • Decryptor delivery upon payment confirmation

Detection Guidance

Pre-Encryption Indicators

ElDorado affiliates exhibit standard enterprise intrusion TTPs in the pre-encryption dwell period. Detection priorities:

1. ESXi-specific activity

Look for: unusual esxcli commands, unexpected VM power-off sequences, 
access to /vmfs/volumes/ from non-administrative hosts

Monitor for bulk VM shutdown events outside maintenance windows — ESXi-targeting ransomware consistently shuts VMs down before encrypting VMDK files.

2. VSS deletion (Windows)

Event: Process creation
CommandLine contains: "vssadmin delete shadows" OR "wmic shadowcopy delete"
ParentProcess: NOT expected backup/admin tooling

VSS deletion immediately preceding anomalous file system activity is a near-certain pre-encryption indicator.

3. SMB enumeration from unusual sources

Source: Workstation or application server (not domain controller or backup system)
SMB access to: unusual admin shares, DFS shares, or backup repositories
Volume: >100 share connections in short window

During Encryption

  • File extension anomalies: Bulk modification of file extensions not matching known application patterns
  • Entropy spike: High-entropy file writes across multiple directories simultaneously
  • Ransom note creation: HOW_TO_RECOVER.txt or variant filenames created across directory trees

Defensive Priorities

  1. Protect ESXi management interfaces — never expose ESXi management on publicly routable addresses. Restrict SSH and HTTPS management to jump server or bastion host.
  2. Immutable backups for VMDKs — backup solutions that create air-gapped or object-lock-protected copies of VMDK files are the primary recovery path if encryption occurs.
  3. Disable SMB v1 — ElDorado’s SMB enumeration works across all SMB versions, but eliminating legacy protocol support reduces lateral movement surface generally.
  4. Monitor for Rust-compiled binaries — ElDorado’s Rust binaries have distinct import patterns (no standard library imports, characteristic CRT linkage) that YARA rules can target. Check threat intelligence feeds for current YARA signatures.

Assessment

ElDorado occupies a credible mid-tier position in the RaaS ecosystem: technically capable (cross-platform, Rust-based, with a functional ESXi encryptor), commercially viable (functional affiliate model and negotiation process), and operationally active at consistent volume. The group is not among the most prolific in victim count but represents a genuine threat to organisations running VMware virtualisation — the ESXi capability means a successful intrusion can encrypt an entire virtualised infrastructure in a single encryption run.

Organisations should treat ElDorado as a plausible threat actor rather than a marginal group, particularly in the finance, healthcare, and manufacturing sectors where victim concentration is highest.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting