A new ransomware threat calling itself Red Epsilon has been seen leveraging Microsoft Exchange server vulnerabilities to encrypt machines across the network.
Epsilon Red ransomware attacks rely on more than a dozen scripts before reaching the encryption stage and also use a commercial remote desktop utility.
Hitting vulnerable Microsoft Exchange server
Incident responders at cybersecurity company Sophos discovered the new Epsilon Red ransomware over the past week while investigating an attack at a fairly large U.S. company in the hospitality sector.
The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange server.
Because of the critical severity, organizations across the world rushed to install the patches and in less than a month about 92% of the vulnerable on-premise Microsoft Exchange servers received the update.
Unique set of tools
Epsilon Red is written in Golang (Go) and is preceded by a set of unique PowerShell scripts that prepare the ground for the file-encryption routine, each having a specific purpose:
- kill processes and services for security tools, databases, backup programs, Office apps, email clients
- delete Volume Shadow Copies
- steal the Security Account Manager (SAM) file containing password hashes
- delete Windows Event Logs
- disable Windows Defender
- suspend processes
- uninstall security tools (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot)
- expand permissions on the system
Most of the scripts are numbered 1 through 12 but there are a few that are named as a single letter. One of these, c.ps1, seems to be a clone of the penetration testing tool Copy-VSS.
After breaching the network, the hackers reach machines over RDP and use Windows Management Instrumentation (WMI) to install software and run PowerShell scripts that ultimately deploy Epsilon Red executable.
Sophos researchers noticed that the threat actor also installs a copy of Remote Utilities – a commercial software for remote desktop operations, and the Tor Browser. This move is to ensure that they still have a door open if they lose access through the initial entry point.
REvil ransom note model
Peter Mackenzie, manager of the Sophos Rapid Response team, told BleepingComputer that although this version of Epsilon Red does not appear to be the work of professionals it can cause quite a mess as it comes with no restrictions for encrypting file types and folders.
The malware has little functionality apart from encrypting files and folders but it includes code from the open-source tool godirwalk, a library for traversing a directory tree on a file system.
This functionality enables Epsilon Red to scan the hard drive and add directory paths to a list of destinations for child processes that encrypt subfolders individually. In the end, infected machines will run a large number of copies of the ransomware process.
It encrypts everything in the targeted folders appending the suffix “.epsilonred”, without sparing executables or DLLs that could break essential programs or even the operating system.
In typical ransomware fashion, Epsilon Red drops in each processed folder the ransom note with instructions on how to contact the attackers for negotiating a data decryption price.
If the instructions seem familiar it’s because the attackers use a spruced-up version of the ransom note used by REvil ransomware. However, Epsilon Red made an effort to correct the original grammar and spelling mistakes of the Russian gang.
While the origin of the hackers remains unknown at the moment, it is clear where they got their name from. Epsilon Red is a little-known character from the Marvel universe, a Russian super-soldier with four tentacles that can breath in space.
Despite being new in the ransomware business, the Epsilon Red ransomware gang has attacked several companies and the incidents are being investigated by multiple cybersecurity firms.
The hackers have also made some money. Sophos found that one victim of this ransomware threat paid the attackers 4.28 BTC on May 15 (about $210,000).