Overview
ElDorado is a ransomware-as-a-service (RaaS) operation that emerged publicly in March 2024, advertising affiliate positions on underground forums and listing its first victims on a dedicated data leak site. Distinguished by a Rust-based encryptor with native support for both Windows and VMware ESXi (Linux) environments, ElDorado was assessed by Group-IB researchers as a purpose-built operation rather than a rebrand of an existing group.
As of mid-2026, ElDorado has accumulated approximately 70+ confirmed victims across North America, Europe, and Asia-Pacific, with a notable concentration in the United States. The group has not attracted the same media attention as LockBit, RansomHub, or Akira, but maintains consistent activity levels and represents a technically capable mid-tier RaaS operation.
Technical Profile
Encryptor Architecture
ElDorado’s encryptor is written in Rust — the same language choice as LockBit 3.0 and Cicada3301, selected for performance, cross-platform compilation, and relative resistance to static analysis compared to C/C++ binaries.
Encryption scheme:
- Algorithm: ChaCha20 for file content encryption; RSA-OAEP for key protection
- Key generation: Unique encryption key pair generated per victim; public key embedded in the binary, private key held by the operator
- Intermittent encryption: Partial-file encryption mode for large files (configurable threshold), used to accelerate encryption speed while maintaining practical unrecoverability
- File extension: Appends a randomised extension (reported variants:
.00000001format, victim-specific alphanumeric strings)
Windows encryptor:
- Enumerates local drives and mapped network shares
- Uses SMB (via Windows API) to encrypt accessible network shares without needing additional tooling
- Terminates common backup processes: Volume Shadow Copies (VSS) deleted via
vssadmin.exe delete shadows /all /quiet - Targets common Windows database and backup file extensions:
.sql,.bak,.mdb
Linux/ESXi encryptor:
- Compiled for x86_64 Linux, specifically targeting VMware ESXi environments
- Enumerates running VMs via ESXi-specific paths (
/vmfs/volumes/) - Uses
esxcliequivalent commands to gracefully shut down VMs before encrypting VMDK files — consistent with other professional RaaS groups targeting virtualisation - Encrypts
.vmdk,.vmx,.vmxf,.nvram,.vmsnand related ESXi file types - Uses NFS share enumeration via
/proc/mountsto extend reach to networked storage
Propagation and Lateral Movement
ElDorado affiliates have used standard enterprise attack paths:
- RDP brute force and credential stuffing against exposed remote access services
- Exploitation of VPN appliances (consistent with broader ransomware ecosystem patterns)
- SMB lateral movement using stolen credentials after initial access
- Cobalt Strike and similar post-exploitation frameworks observed in pre-encryption dwell period
The network share enumeration capability built into the Windows encryptor means the encryption phase itself extends lateral reach — a feature that reduces the need for manual share mapping by affiliates.
Victim Profile
Based on leak site analysis and independent reporting through mid-2026:
| Sector | Approximate % of Victims |
|---|---|
| Finance / professional services | 25% |
| Healthcare | 18% |
| Manufacturing | 15% |
| Real estate | 12% |
| Education | 10% |
| Legal | 8% |
| Other | 12% |
Geographic distribution: Predominantly US-based victims (approximately 60%), with significant representation from Italy, Germany, and Spain. No confirmed Australian or UK victims in publicly documented cases, though leak sites frequently undercount actual compromise.
Victim size: Mixed — ElDorado affiliates have targeted organisations across the revenue spectrum from mid-market (50-500 employees) to large enterprise. The ESXi capability makes the group a relevant threat to any organisation running VMware-based virtualisation.
Ransom Demands and Extortion Model
ElDorado operates a dual-extortion model: data exfiltration before encryption, followed by ransom demands that include both decryption and non-publication of stolen data.
Observed ransom range: $200,000–$3 million USD, varying with victim revenue. The group is assessed to have a functional negotiation process and demonstrated willingness to discount demands for rapid payment.
Data leak site: The group operates a dedicated .onion leak site with victim countdown timers standard in the ecosystem. Data is published in stages — initial teaser samples released immediately, full archive released after deadline expiry.
Payment: Bitcoin and Monero accepted. Monero is preferred in affiliate communications for its enhanced privacy properties.
Affiliate Model
ElDorado recruits affiliates through closed underground forums, requiring demonstrated technical competency (unlike some lower-tier operations). The affiliate split is reported at approximately 80/20 (affiliate/operator), competitive with mid-tier RaaS operations but below RansomHub’s 90/10 industry-high.
The operation provides affiliates with:
- Windows and Linux encryptor binaries (configurable at affiliate level)
- Leak site infrastructure and victim management portal
- Negotiation support from the operator side for large ransom demands
- Decryptor delivery upon payment confirmation
Detection Guidance
Pre-Encryption Indicators
ElDorado affiliates exhibit standard enterprise intrusion TTPs in the pre-encryption dwell period. Detection priorities:
1. ESXi-specific activity
Look for: unusual esxcli commands, unexpected VM power-off sequences,
access to /vmfs/volumes/ from non-administrative hosts
Monitor for bulk VM shutdown events outside maintenance windows — ESXi-targeting ransomware consistently shuts VMs down before encrypting VMDK files.
2. VSS deletion (Windows)
Event: Process creation
CommandLine contains: "vssadmin delete shadows" OR "wmic shadowcopy delete"
ParentProcess: NOT expected backup/admin tooling
VSS deletion immediately preceding anomalous file system activity is a near-certain pre-encryption indicator.
3. SMB enumeration from unusual sources
Source: Workstation or application server (not domain controller or backup system)
SMB access to: unusual admin shares, DFS shares, or backup repositories
Volume: >100 share connections in short window
During Encryption
- File extension anomalies: Bulk modification of file extensions not matching known application patterns
- Entropy spike: High-entropy file writes across multiple directories simultaneously
- Ransom note creation:
HOW_TO_RECOVER.txtor variant filenames created across directory trees
Defensive Priorities
- Protect ESXi management interfaces — never expose ESXi management on publicly routable addresses. Restrict SSH and HTTPS management to jump server or bastion host.
- Immutable backups for VMDKs — backup solutions that create air-gapped or object-lock-protected copies of VMDK files are the primary recovery path if encryption occurs.
- Disable SMB v1 — ElDorado’s SMB enumeration works across all SMB versions, but eliminating legacy protocol support reduces lateral movement surface generally.
- Monitor for Rust-compiled binaries — ElDorado’s Rust binaries have distinct import patterns (no standard library imports, characteristic CRT linkage) that YARA rules can target. Check threat intelligence feeds for current YARA signatures.
Assessment
ElDorado occupies a credible mid-tier position in the RaaS ecosystem: technically capable (cross-platform, Rust-based, with a functional ESXi encryptor), commercially viable (functional affiliate model and negotiation process), and operationally active at consistent volume. The group is not among the most prolific in victim count but represents a genuine threat to organisations running VMware virtualisation — the ESXi capability means a successful intrusion can encrypt an entire virtualised infrastructure in a single encryption run.
Organisations should treat ElDorado as a plausible threat actor rather than a marginal group, particularly in the finance, healthcare, and manufacturing sectors where victim concentration is highest.