Thursday, March 28, 2024

New Epsilon Red Ransomware Attack Unpatched Microsoft Exchange Servers

Epsilon Red is a set of distinctive PowerShell scripts, that were being developed for making encryption. During an investigation of an unnamed attack that happened on a U.S. company in the hospitality sector, the security analysts of Sophos have detected a new malware.

According, to the security experts, the threat actors of this new ransomware named Epsilon Red, and are continuously exploiting the vulnerabilities in Microsoft Exchange servers. 

However, the analysts also affirmed that the main motive of the threat actors of Epsilon Red was to compromise computer systems and then encrypt all the possible data.

Apart from all these the analysts are trying their best to know all the key details of this ransomware, as currently, they don’t know that if hackers have exploited ProxyLogon vulnerabilities or not to access the devices.

Targeting the vulnerable Microsoft Exchange server

The hackers have entered the corporate network by using the vulnerabilities that are present in the local Microsoft Exchange server. Epsilon Red is written in the Golang (Go) language, that contains a set of PowerShell script that makes the device for file encryption.

The chief researcher of Sophos has pronounced in a report that, the threat actors might have leveraged the ProxyLogon set of vulnerabilities to reach machines on the network, but they are not confirmed about it and are trying to find the key details accordingly.

The ProxyLogon bugs have become quite popular among the hackers and it is being attacked widely by several threat actors, as this bug helps the hackers to scan the web for vulnerable devices and then they can easily compromise the system.  

Bare-bones ransomware

Bare-bone ransomware is quite popular, and it is known for its 64-bit Windows executable programmed that is available in the Go language. 

Moreover, this ransomware is also known as RED.exe. (a 64-bit Windows executable) and the researchers have closely observed that this ransomware uses a tool named MinGW in its operation.

Apart from this, the Bare-bones ransomware is critical in nature, because they use the tool MinGW that is stuffed with all advanced versions of the runtime packer UPX.

A unique set of tools

The Epsilon red ransomware is packed with a set of unique tools that have a different purpose, and here we have mentioned them below:-

  • kill processes and services for security tools, databases, backup programs, Office apps, email clients
  • delete Volume Shadow Copies
  • steal the Security Account Manager (SAM) file containing password hashes
  • delete Windows Event Logs
  • disable Windows Defender
  • suspend processes
  • uninstall security tools (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot)
  • expand permissions on the system

Note model of REvil ransom

However, the Epsilon Red ransomware does not resemble to be the work of professionals, but ill, stit might cause a huge mess as it appears with no restrictions for encrypting different types of files and folders.

This ransomware smoothly encrypts everything from the targeted folders that are attached to the suffix or extension “.epsilonred”.

The investigation of the security analysts also asserts that the instructions that were used in this ransomware attack seem familiar, as the threat actors have used the same spruced-up version of the ransom note that was used in the REvil ransomware.

While during their investigation the security researchers have discovered that on May 15 one of the victims of this ransomware has already paid a hefty amount of 4.28 BTC which is about $210,000 to the hackers behind this ransomware.

Apart from this, the most interesting fact of this ransomware is that it does not spare executables or DLLs that could easily break into important programs and also in the operating system.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles