ElDorado Ransomware Group Targets South Korean DevOps Consulting Firm CURVC Corp

In a recent cyberattack, the ransomware group ElDorado has claimed responsibility for targeting CURVC Corp, a South Korean consulting firm specializing in DevOps and software engineering solutions. The attack was announced on ElDorado's dark web leak site, where the group claimed to have exfiltrated 5 GB of sensitive data from CURVC Corp.

About CURVC Corp

CURVC Corp, also known as CURVE, operates out of Seoul, South Korea, and is recognized as a Platinum Solution Partner with Atlassian. The company focuses on enhancing productivity in software development through practical consulting services and training. CURVC Corp's core offerings include solution consulting, product delivery, practical training, development services, operational services, and customer support. The firm primarily utilizes tools from Atlassian, SonarQube, and Freshworks to help organizations implement and utilize DevOps practices and IT Service Management (ITSM).

With a workforce ranging from 20 to 49 employees, CURVC Corp generates an estimated revenue between $5 million to $10 million annually. The company is known for its tailored solutions and proactive customer support, making it a significant player in the DevOps consulting space in South Korea.

Attack Overview

The ElDorado ransomware group claims to have exfiltrated 5 GB of sensitive data from CURVC Corp, posing significant operational and reputational risks to the company. The attack highlights vulnerabilities in CURVC Corp's cybersecurity measures, which may have been exploited by the ransomware group to gain unauthorized access to their systems.

About ElDorado Ransomware Group

ElDorado is a relatively new ransomware group that emerged in early 2024. Operating as a Ransomware-as-a-Service (RaaS) platform, ElDorado's malware is written in Golang, allowing for cross-platform capabilities targeting both Windows and Linux systems, including VMware ESXi. The ransomware uses ChaCha20 for file encryption and RSA-OAEP for key encryption, with encrypted files bearing a .00000001 extension and ransom notes named "HOW_RETURN_YOUR_DATA.TXT."

ElDorado distinguishes itself by actively recruiting affiliates and pentesters on dark web forums, allowing them to customize attack parameters. The group has quickly demonstrated its capability to inflict significant damage, with victims spanning various sectors, including real estate, healthcare, education, and manufacturing.

Potential Penetration Methods

While the exact method of penetration in the CURVC Corp attack remains unclear, ElDorado's tactics typically involve encrypting files on shared networks using the SMB protocol and removing shadow volume copies on Windows to hinder recovery. The malware is designed to self-delete after execution to avoid detection, making it a formidable threat to organizations with insufficient cybersecurity measures.

• CURVC Corp - Company Overview
• Atlassian Marketplace - CURVC Corp
• SOCRadar - ElDorado Ransomware Profile
• Group-IB - ElDorado Ransomware
• The Hacker News - ElDorado Ransomware