Eldorado uses the Golang programming language to enable cross-platform coding, attacking both Windows and Linux. This virus first appeared on March 16. In just 6 months, 16 companies in many different fields were attacked by Eldorado.

Eldorado uses a combination of two algorithms Chacha20 + RSA to encrypt files. This combination ensures fast encryption speed and the file cannot be decrypted after being encrypted. More seriously, this malicious code can encrypt all shared files (share folders) on the network. That means that anyone who shares files with the victim, that person's files can be encrypted by the virus.

The encoder for Eldorado comes in four formats, including: esxi, esxi_64, win and win_64. To completely erase traces, the virus runs a powershell command to overwrite random data on the virus, before deleting itself.

Eldorado is the latest data encryption virus in the group of ransomware that has emerged recently, but the way it works is not the same as previously discovered malware lines such as LockBit or Babuk. Experts recommend:

- Install and use professional, copyrighted anti-virus software to early detect and automatically prevent ransomware from entering the system.

- You should regularly back up important data and store it somewhere else such as USB/External Hard Drive, Cloud Storage (Google Drive, One Drive, iCloud...) instead of on the computer itself.

- Install operating system and software security updates regularly to patch security vulnerabilities that can be exploited by attackers.

- Raise awareness of ransomware threats and how to recognize malicious emails, attachments and links.

- Create a specific plan to handle ransomware attacks, including steps to recover data, minimize damage, and prosecute attackers.

Bkav