Platform
Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
Our AI
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Services
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
Solutions
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Company
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Resources
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Partners
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Eldorado ransomware recovery team on standby
Eldorado emerged in March 2024 as a Golang-based RaaS with dedicated Windows and VMware ESXi encryptors, using ChaCha20 + RSA-4096 and claiming 16 victims within weeks of launching. Isolate all affected systems immediately and contact UnderDefense — do not attempt decryption or negotiation alone.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Eldorado attack can make a huge difference and help you make a full recovery. Request 24/7 Eldorado ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Eldorado is written in Golang, enabling rapid cross-compilation to Windows .exe and Linux binary formats. The gang compiles per-victim variants with custom encryption keys and ransom note text, making static analysis difficult and suggesting technical sophistication above typical ransomware groups.
Eldorado operates as an affiliate-based Ransomware-as-a-Service, recruiting affiliates to conduct intrusions, with the operator providing customized malware builders. Affiliates retain 70-80% of ransom payments; operator keeps 20-30%. This model suggests rapid scaling potential and geographic dispersion of attacks.
Eldorado specifically targets VMware ESXi hypervisors for encryption, treating virtual machines as atomic units for maximum impact. A single ESXi host compromise results in simultaneous encryption of dozens of virtual machines. This specialization targets virtual infrastructure deliberately, causing cascading failure across entire data center environments.
Ransom notes are customizable by affiliate, with HOW_RETURN_YOUR_DATA.TXT as the standard filename. Text content varies, but all include contact instructions via qTox or other encrypted messaging. The customization enables the gang to adapt messaging to specific industries or victims.
ChaCha20 encryption is faster than AES on systems without hardware acceleration, allowing Eldorado to encrypt large ESXi datastore volumes (5TB+) within hours rather than days, minimizing detection time.
No public decryptor exists for Eldorado ransomware. ChaCha20 combined with RSA-4096 is cryptographically secure. Recovery requires offline backups, ESXi snapshots, or ransom payment with no guarantee of key return or data non-release.
Search for .00000001 file extensions on encrypted systems and datastores. Ransom note files named HOW_RETURN_YOUR_DATA.TXT appearing in ESXi root directories or virtual machine filesystems. Monitor ESXi logs for unusual process execution (custom Golang binaries, shell access attempts).
File Extensions
.00000001, .encrypt, .eldorado (variant-dependent; operator-customizable)
Ransom Note Filenames
HOW_RETURN_YOUR_DATA.TXT, HOW_TO_RETURN_FILES.TXT (customizable by affiliate)
Eldorado Hashes
SHA256 hashes vary significantly due to per-victim compilation. Known Golang executable characteristics can be identified via static analysis (Go runtime markers), but signature-based detection is unreliable. Behavioral detection of ChaCha20 operations on ESXi is required.
Eldorado Tools
Reconnaissance: Network scanning, ESXi configuration assessment via legitimate vSphere API calls
Exploitation: Typically gains access via compromised credentials, RDP, or VPN; not leveraging known CVEs primarily
Encryption: Golang-compiled binary with customized ChaCha20 key derivation
Persistence: Scheduled tasks on Windows; cron jobs or systemd timers on Linux/ESXi
Data Exfiltration: Limited data theft compared to encryption focus; some variants include rclone for cloud exfiltration
Most Common Red Flag
Simultaneous encryption of multiple virtual machines with .00000001 extensions across a single ESXi host, combined with appearance of HOW_RETURN_YOUR_DATA.TXT in /root or virtual machine directories. Often preceded by credential compromise or RDP access from unusual IP addresses.
Attack vector | % of Eldorado incidents | Notes |
Compromised Credentials (RDP/SSH) | 50% | Credentials obtained from breach databases or phishing |
Unpatched VPN/RDP Appliances | 25% | Exploitation of known vulnerabilities in remote access |
Phishing with Credential Stealer | 15% | Malware attachments delivering credential dumpers |
Supply Chain/IAB Access | 10% | Initial Access Brokers selling compromised credentials |
A healthcare organization with 500+ virtual machines lost all clinical systems simultaneously when Eldorado encrypted the ESXi host. Recovery from backup took 6 weeks and involved data loss on recently modified files. An education institution paid $250K ransom; keys were provided but only recovered 70% of files before shutdown. One real estate firm refused payment; gang threatened to release property transaction data, escalating to regulatory fines.
Isolate all affected ESXi hosts from network immediately. Power off virtual machines to prevent continued encryption. Restore from verified ESXi snapshots or offline backup datastores predating infection. Assume all credentials compromised; reset vSphere administrator passwords and enforce certificate-based authentication. Patch any unpatched RDP or VPN appliances before bringing infrastructure back online.
Recovery depends on ESXi snapshot availability or offline backup datastores. Restore virtual machines from verified clean snapshots, testing each VM for functionality before production use. Reset all vSphere and hypervisor credentials. Implement network segmentation to isolate hypervisor management interfaces from general network. Enable persistent logging on ESXi to detect future compromise attempts.
Eldorado demands range from $500,000 to $3,000,000+ depending on organization size and datastore volume. Healthcare targets typically demand $2M+. Demands are negotiable; reported settlement rates are 30-50% of initial demand. Affiliate variation in negotiation approach means some victims receive better terms based on affiliate experience.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help Now
Eldorado is an affiliate-based Ransomware-as-a-Service group that emerged in March 2024, using Golang for cross-platform compilation and specializing in VMware ESXi hypervisor encryption. The ransomware uses ChaCha20 for file encryption combined with RSA-4096 key protection, creating cryptographically secure encryption resistant to brute-force recovery. The gang offers customizable malware builders to affiliates, enabling rapid scaling and geographic dispersion of attacks.
Attribution analysis suggests Eastern European or Russian-based operations based on infrastructure patterns, timezone activity (UTC+2 to UTC+3), and operational style. The affiliate-based RaaS model suggests the operator seeks distance from actual attacks. No definitive attribution to nation-state actors has been published; group appears financially motivated.
Eldorado typically gains initial access through compromised credentials (RDP, SSH, VPN) obtained from breach databases or phishing campaigns. Operators establish persistence via scheduled tasks or cron jobs, conduct reconnaissance to identify ESXi hosts and datastore volumes, and then deploy the customized Eldorado encryptor. The Golang binary is compiled per-victim with unique encryption keys, making each infection cryptographically isolated.
From initial compromise to encryption deployment, Eldorado attacks average 5-10 days of dwell time, allowing for reconnaissance and credential harvesting. ESXi encryption itself is rapid—a 5TB datastore can be fully encrypted within 6-12 hours depending on storage performance. Some incidents show acceleration to 24-48 hours total if the gang detects active monitoring.
No legitimate public decryptor exists. ChaCha20 combined with RSA-4096 is cryptographically sound. Some victims who paid ransom report keys were functional but incomplete (recovering only 70-80% of files). Recovery without ransom requires offline backups or ESXi snapshots, both of which may not exist for recently encrypted data.
All virtual machines encrypted with .00000001 extensions become inaccessible. The gang threatens to release sensitive data (healthcare records, financial information, intellectual property) on dark web forums if ransom is not paid within 7-14 days. For organizations dependent on virtualized infrastructure (hospitals, financial institutions), operational disruption is immediate and severe—hundreds of applications fail simultaneously.
Implement multi-factor authentication on all RDP, SSH, and VPN access to hypervisor management interfaces. Assume credentials obtained from breaches are compromised; rotate passwords quarterly. Maintain offline, immutable backups of ESXi configurations and datastores, tested for recovery quarterly. Isolate hypervisor management networks using network segmentation. Disable or restrict RDP on hypervisor hosts; use jump hosts instead. Monitor ESXi logs for unusual process execution and SSH access.
– Enforce MFA on vSphere and hypervisor management interfaces
– Isolate hypervisor management networks from general corporate network
– Disable or restrict internet-facing RDP on hypervisors; use jump hosts instead
– Maintain offline, encrypted backup copies of ESXi configurations and datastores
– Monitor ESXi logs for unusual process execution (non-standard binaries, shell access)
– Implement VMware Update Manager (VUM) for automated patching
– Rotate hypervisor administrator credentials quarterly
– Conduct quarterly backup restoration drills on test environment
– Deploy EDR on management interfaces to detect suspicious processes
– Monitor for simultaneous virtual machine encryption (anomalous storage I/O)
Encrypting an ESXi host results in simultaneous encryption of dozens or hundreds of virtual machines, creating maximum impact with minimal operational complexity. A single successful compromise of a hypervisor host is equivalent to compromising 50-500 individual systems, dramatically increasing ransom leverage while reducing affiliate operational complexity. This targets infrastructure architecture weaknesses rather than endpoint weaknesses.
Eldorado’s explicit focus on VMware ESXi differentiation sets it apart from commodity RaaS groups that target Windows desktops/servers. The Golang cross-platform implementation and customizable malware builder enable rapid affiliate onboarding. The group appears to target infrastructure-centric organizations (healthcare, finance, education, manufacturing) rather than broad SMB ransomware, suggesting higher ransom targets despite lower victim count.
