A new ransomware threat called Red Epsilon has been spotted using Exchange server vulnerabilities to infiltrate networks and encrypt machines.
The Epsilon Red ransomware campaign uses a variety of scripts before it reaches the encryption stage.
Cybersecurity researchers at Sophos discovered the new type of ransomware last week when it hit a vulnerable Microsoft Exchange Server of a fairly large hospitality company in the US. The researchers discovered that the threat actor exploited unpatched vulnerabilities in the Exchange server to gain unauthorized access to the network.
Andrew Brandt, a principal researcher at Sophos, said that the attackers may have exploited the ProxyLogon set of weaknesses to reach network machines.
Epsilon Red is written in Golang (Go). Its PowerShell scripts are quite unique, researchers note, and prepare the stage for later file-encryption: kill processes and services of various security tools, databases, email clients, Office apps, and other applications; uninstall security tools; steal the Security Account Manager (SAM) file with password hashes; delete Volume Shadow Copies and Windows Event Logs; and more.
There are a few scripts that are numbered 1 through 12 and some that are named with a single letter. In addition, one is likely a clone of Copy-VSS, a penetration testing tool.
After breaching the network, they used Windows Management Instrumentation to install software and run scripts to deploy Epsilon Red.
According to researchers from Sophos, the attacker also installed a copy of Remote Utilities and Tor Browser to maintain remote access to their system in the future.
Although this version of Epsilon Red does not appear to be professional malware, Peter Mackenzie, manager of the Rapid Response team at Sophos, warned about the dangers of Epsilon Red which encrypts files without restrictions. It encrypts all the files in the targeted folder, including executables or DLLs, which could break the operating system or essential programs.
The malware is mostly an encryption tool, but it also includes a utility called godirwalk. This enables Epsilon Red to scan the drive and add directories to a list of destinations to be encrypted individually.
Epsilon Red drops a ransom note in each processed folder that tells the victims how to contact the attackers for negotiations. The note is a spruced-up version of the original note by Russian hackers behind REvil ransomware sans grammar mistakes.
The hackers got their malware’s name from a character from the Marvel universe named Epsilon Red, who is a Russian super-soldier.
Despite being new to the ransomware industry, the Epsilon Red gang has already attacked several companies and made some money with one victim having paid the attackers 4.28 BTC on May 15 (about $210,000), Sophos said.