ElDorado Ransomware Group Targets New River Electrical Corporation

New River Electrical Corporation (NRE), a prominent electrical contractor based in North America, has fallen victim to a ransomware attack orchestrated by the ElDorado ransomware group. The attack, which was disclosed on ElDorado's dark web leak site, has reportedly compromised 2.44 TB of sensitive organizational data, posing significant risks to NRE's operations and data security.

About New River Electrical Corporation

Founded in 1953, New River Electrical Corporation is a well-established player in the electrical construction industry. The company specializes in substation construction and maintenance, overhead transmission and distribution, and underground electrical systems. NRE is known for its commitment to safety, quality, and community engagement, making it a trusted partner in electrical utility projects across North America. The company employs approximately 329 people and generates an annual revenue of $247.1 million.

Attack Overview

The ElDorado ransomware group claims to have infiltrated NRE's systems, gaining access to a substantial amount of sensitive data. The breach highlights the growing threat of ransomware attacks in the industrial sector, particularly targeting companies involved in critical infrastructure. The attackers have not disclosed the specific vulnerabilities they exploited, but the incident underscores the importance of comprehensive cybersecurity measures.

About ElDorado Ransomware Group

ElDorado is a relatively new ransomware group that emerged in early 2024. Operating as a Ransomware-as-a-Service (RaaS) platform, ElDorado's malware is written in Golang, allowing for cross-platform capabilities. The ransomware targets both Windows and Linux systems, including VMware ESXi. It uses advanced encryption techniques, such as ChaCha20 for file encryption and RSA-OAEP for key encryption. The group is known for its aggressive recruitment of affiliates and pentesters on dark web forums, enabling them to customize attack parameters and generate custom ransomware samples.

Penetration and Impact

While the exact method of penetration remains unclear, ElDorado's ransomware is designed to encrypt files on shared networks using the SMB protocol and remove shadow volume copies on Windows systems to hinder recovery. The malware self-deletes after execution to avoid detection. Given NRE's extensive involvement in critical infrastructure projects, the breach could have far-reaching implications, potentially disrupting essential services and compromising sensitive data.

Sources

• New River Electrical Corporation
• Group-IB - ElDorado Ransomware
• Rewterz - ElDorado Ransomware
• The Hacker News - ElDorado Ransomware