Monday, July 15, 2024
EHA

New Epsilon Red Ransomware Attack Unpatched Microsoft Exchange Servers

Epsilon Red is a set of distinctive PowerShell scripts, that were being developed for making encryption. During an investigation of an unnamed attack that happened on a U.S. company in the hospitality sector, the security analysts of Sophos have detected a new malware.

According, to the security experts, the threat actors of this new ransomware named Epsilon Red, and are continuously exploiting the vulnerabilities in Microsoft Exchange servers

However, the analysts also affirmed that the main motive of the threat actors of Epsilon Red was to compromise computer systems and then encrypt all the possible data.

Apart from all these the analysts are trying their best to know all the key details of this ransomware, as currently, they don’t know that if hackers have exploited ProxyLogon vulnerabilities or not to access the devices.

Targeting the vulnerable Microsoft Exchange server

The hackers have entered the corporate network by using the vulnerabilities that are present in the local Microsoft Exchange server. Epsilon Red is written in the Golang (Go) language, that contains a set of PowerShell script that makes the device for file encryption.

The chief researcher of Sophos has pronounced in a report that, the threat actors might have leveraged the ProxyLogon set of vulnerabilities to reach machines on the network, but they are not confirmed about it and are trying to find the key details accordingly.

The ProxyLogon bugs have become quite popular among the hackers and it is being attacked widely by several threat actors, as this bug helps the hackers to scan the web for vulnerable devices and then they can easily compromise the system.  

Bare-bones ransomware

Bare-bone ransomware is quite popular, and it is known for its 64-bit Windows executable programmed that is available in the Go language. 

Moreover, this ransomware is also known as RED.exe. (a 64-bit Windows executable) and the researchers have closely observed that this ransomware uses a tool named MinGW in its operation.

Apart from this, the Bare-bones ransomware is critical in nature, because they use the tool MinGW that is stuffed with all advanced versions of the runtime packer UPX.

A unique set of tools

The Epsilon red ransomware is packed with a set of unique tools that have a different purpose, and here we have mentioned them below:-

  • kill processes and services for security tools, databases, backup programs, Office apps, email clients
  • delete Volume Shadow Copies
  • steal the Security Account Manager (SAM) file containing password hashes
  • delete Windows Event Logs
  • disable Windows Defender
  • suspend processes
  • uninstall security tools (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot)
  • expand permissions on the system

Note model of REvil ransom

However, the Epsilon Red ransomware does not resemble to be the work of professionals, but ill, stit might cause a huge mess as it appears with no restrictions for encrypting different types of files and folders.

This ransomware smoothly encrypts everything from the targeted folders that are attached to the suffix or extension “.epsilonred”.

The investigation of the security analysts also asserts that the instructions that were used in this ransomware attack seem familiar, as the threat actors have used the same spruced-up version of the ransom note that was used in the REvil ransomware.

While during their investigation the security researchers have discovered that on May 15 one of the victims of this ransomware has already paid a hefty amount of 4.28 BTC which is about $210,000 to the hackers behind this ransomware.

Apart from this, the most interesting fact of this ransomware is that it does not spare executables or DLLs that could easily break into important programs and also in the operating system.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles