ElDorado Ransomware Hits South Korean DevOps Firm CURVC Corp
Incident Date:
August 24, 2024
Overview
Title
ElDorado Ransomware Hits South Korean DevOps Firm CURVC Corp
Victim
CURVC Corp
Attacker
ElDorado
Location
First Reported
August 24, 2024
ElDorado Ransomware Group Targets South Korean DevOps Consulting Firm CURVC Corp
In a recent cyberattack, the ransomware group ElDorado has claimed responsibility for targeting CURVC Corp, a South Korean consulting firm specializing in DevOps and software engineering solutions. The attack was announced on ElDorado's dark web leak site, where the group claimed to have exfiltrated 5 GB of sensitive data from CURVC Corp.
About CURVC Corp
CURVC Corp, also known as CURVE, operates out of Seoul, South Korea, and is recognized as a Platinum Solution Partner with Atlassian. The company focuses on enhancing productivity in software development through practical consulting services and training. CURVC Corp's core offerings include solution consulting, product delivery, practical training, development services, operational services, and customer support. The firm primarily utilizes tools from Atlassian, SonarQube, and Freshworks to help organizations implement and utilize DevOps practices and IT Service Management (ITSM).
With a workforce ranging from 20 to 49 employees, CURVC Corp generates an estimated revenue between $5 million to $10 million annually. The company is known for its tailored solutions and proactive customer support, making it a significant player in the DevOps consulting space in South Korea.
Attack Overview
The ElDorado ransomware group claims to have exfiltrated 5 GB of sensitive data from CURVC Corp, posing significant operational and reputational risks to the company. The attack highlights vulnerabilities in CURVC Corp's cybersecurity measures, which may have been exploited by the ransomware group to gain unauthorized access to their systems.
About ElDorado Ransomware Group
ElDorado is a relatively new ransomware group that emerged in early 2024. Operating as a Ransomware-as-a-Service (RaaS) platform, ElDorado's malware is written in Golang, allowing for cross-platform capabilities targeting both Windows and Linux systems, including VMware ESXi. The ransomware uses ChaCha20 for file encryption and RSA-OAEP for key encryption, with encrypted files bearing a .00000001 extension and ransom notes named "HOW_RETURN_YOUR_DATA.TXT."
ElDorado distinguishes itself by actively recruiting affiliates and pentesters on dark web forums, allowing them to customize attack parameters. The group has quickly demonstrated its capability to inflict significant damage, with victims spanning various sectors, including real estate, healthcare, education, and manufacturing.
Potential Penetration Methods
While the exact method of penetration in the CURVC Corp attack remains unclear, ElDorado's tactics typically involve encrypting files on shared networks using the SMB protocol and removing shadow volume copies on Windows to hinder recovery. The malware is designed to self-delete after execution to avoid detection, making it a formidable threat to organizations with insufficient cybersecurity measures.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.