Epsilon Red is a set of distinctive PowerShell scripts, that were being developed for making encryption. During an investigation of an unnamed attack that happened on a U.S. company in the hospitality sector, the security analysts of Sophos have detected a new malware.
According, to the security experts, the threat actors of this new ransomware named Epsilon Red, and are continuously exploiting the vulnerabilities in Microsoft Exchange servers.
However, the analysts also affirmed that the main motive of the threat actors of Epsilon Red was to compromise computer systems and then encrypt all the possible data.
Apart from all these the analysts are trying their best to know all the key details of this ransomware, as currently, they don’t know that if hackers have exploited ProxyLogon vulnerabilities or not to access the devices.
Targeting the vulnerable Microsoft Exchange server
The hackers have entered the corporate network by using the vulnerabilities that are present in the local Microsoft Exchange server. Epsilon Red is written in the Golang (Go) language, that contains a set of PowerShell script that makes the device for file encryption.
The chief researcher of Sophos has pronounced in a report that, the threat actors might have leveraged the ProxyLogon set of vulnerabilities to reach machines on the network, but they are not confirmed about it and are trying to find the key details accordingly.
The ProxyLogon bugs have become quite popular among the hackers and it is being attacked widely by several threat actors, as this bug helps the hackers to scan the web for vulnerable devices and then they can easily compromise the system.
Bare-bone ransomware is quite popular, and it is known for its 64-bit Windows executable programmed that is available in the Go language.
Moreover, this ransomware is also known as RED.exe. (a 64-bit Windows executable) and the researchers have closely observed that this ransomware uses a tool named MinGW in its operation.
Apart from this, the Bare-bones ransomware is critical in nature, because they use the tool MinGW that is stuffed with all advanced versions of the runtime packer UPX.
A unique set of tools
The Epsilon red ransomware is packed with a set of unique tools that have a different purpose, and here we have mentioned them below:-
- kill processes and services for security tools, databases, backup programs, Office apps, email clients
- delete Volume Shadow Copies
- steal the Security Account Manager (SAM) file containing password hashes
- delete Windows Event Logs
- disable Windows Defender
- suspend processes
- uninstall security tools (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot)
- expand permissions on the system
Note model of REvil ransom
However, the Epsilon Red ransomware does not resemble to be the work of professionals, but ill, stit might cause a huge mess as it appears with no restrictions for encrypting different types of files and folders.
This ransomware smoothly encrypts everything from the targeted folders that are attached to the suffix or extension “.epsilonred”.
The investigation of the security analysts also asserts that the instructions that were used in this ransomware attack seem familiar, as the threat actors have used the same spruced-up version of the ransom note that was used in the REvil ransomware.
While during their investigation the security researchers have discovered that on May 15 one of the victims of this ransomware has already paid a hefty amount of 4.28 BTC which is about $210,000 to the hackers behind this ransomware.
Apart from this, the most interesting fact of this ransomware is that it does not spare executables or DLLs that could easily break into important programs and also in the operating system.