Exchange Servers Targeted by Epsilon Red Malware

Epsilon Red ransomware is a new player in the ransomware scenario which uses attacks that are relying on more than a dozen scripts before reaching the encryption stage and also uses a commercial remote desktop utility.

Researchers from cyber security firm Sophos claim to have identified a new strain of Windows ransomware, dubbed ‘Epsilon Red’, which is targeting unpatched Microsoft Exchange servers to encrypt machines across corporate networks. The new ransomware is the final executable payload in the attack, which relies on a dozen Powershell scripts (numbered from 1 to 12) before encrypting machines.

Sophos researchers discovered the new ransomware, known as Epsilon Red while investigating an attack on a US hotel company, Sophos Principal Researcher Andrew Brandt wrote in a post published online. The name is a reference to an obscure adversarial character in the Marvel’s X-Men and was coined by the attackers themselves. According to Brandt, the character is a super soldier of Russian origin armed with four mechanical tentacles, that seems to illustrate how the ransomware spreads its hooks throughout an enterprise network.

While the malware itself is a “bare-bones” 64-bit Windows executable programmed in the Go programming language, its delivery system is a bit more sophisticated, relying on a series of PowerShell scripts that “prepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it,” he wrote.

The US firm which suffered the attack last month paid a ransom of 4.29 bitcoin on 15th May, which was worth about $210,000 at the time. “It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network,” Brandt said.

“It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server,” he added.

After gaining initial entry into Exchange server, the cyber actors used Windows Management Instrumentation (WMI) to install other software onto machines inside the network, Brandt said. There are clues suggesting that REvil ransomware operatives may be behind the Epsilon Red ransomware. The message left by threat actors on infected machines resembles the ransom note of REvil ransomware gang. However, it also adds some minor grammatical corrections making it comprehensible to native English speakers. The tools used in Epsilon Red attacks appeared to be unique to the threat actors, and no other similarities to the REvil attack vector were observed by the researchers.

According to Brandt, the best way to prevent ransomware such as Epsilon Red or REvil from infecting networks is to ensure that servers are fully patched and that security solutions installed on systems are able to block any suspicious activity.