In the latest ransomware developments, a new ransomware named Epsilon Red has been found to be attacking vulnerable Microsoft Exchange Servers.
Malicious Epsilon Red:
Epsilon Red was initially discovered by cybersecurity experts at Sophos PLC and provided that the ransomware was detected to be targeting a U.S.-based organization.
Epsilon Red is deployed in hand-controlled attacks as the terminal executable payload.
The ransomware had demanded a ransom of 4.29 Bitcoin. The amount was valued at $210,000 at the time of the ransom demand.
According to the security researchers, the name and tooling in the ransomware attack were unique to the attackers. Although the ransom note resembled the standard message left behind by the well-known REvil ransomware gang, there were grammatical changes.
What is to be noted is that the name and techniques employed in the ransomware attack were found to be singular to Epsilon Red.
It was also observed that the ransom note of Epsilon Red shared a resemblance with the infamous REvil ransomware gang
The gateway was an enterprise Microsoft Exchange server. “It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server,” noted the Sophos PLC researchers. “From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server.”
Structure and Mal-operations:
Detailing Epsilon Red’s architecture and process, the ransomware has multiple phases and is scripted in Golang Go.It is a follow up of PowerScripts that prepare the target
Starting with killing processes and services for security tools, databases, backup programs, Microsoft Office apps, and email clients, the ransomware deletes all Volume Shadow Copies. The ransomware then steals the Security Account Manager file containing password hashes, deletes Windows Event Logs, disables Windows Defender. Finally, it suspends processes, uninstalls security tools, and expands permissions on the system.
Subsequently, Epsilon Red employs Windows Management Instrumentation to install software and operate PowerShell scripts, install software and run PowerShell scripts.
These then distribute the primary ransomware executable.
The main Epsilon Red executable has been found with the ability to then encrypt files and steal sensitive data.
Impacted victims are then notified of the ransomware attack and demanded the ransom
“As the ingress point for this attack appears to have been an Exchange server vulnerable to the ProxyLogon exploit chain, customers are urged to patch internet-facing Exchange servers as quickly as possible,” the Sophos researchers concluded.