Operators of a new ransomware called Red Epsilon are exploiting vulnerabilities in Microsoft Exchange servers to compromise computer systems and encrypt data.
Specialists from the information security company Sophos discovered a new malware while investigating an attack on an unnamed large American hospitality company. Attackers entered the corporate network using vulnerabilities in the local Microsoft Exchange server. Experts currently do not know if hackers exploited ProxyLogon vulnerabilities to access devices.
Epsilon Red is written in the Golang (Go) language and contains a set of unique PowerShell scripts that prepare the device for file encryption. Scripts are capable of disabling processes and services of security solutions, databases, backup programs, Office applications and email clients, deleting Volume Shadow Copies, stealing the Security Account Manager (SAM) file with password hashes, deleting Windows event logs, disabling Windows Defender, elevating privileges on the system, etc.
Most of the scripts are numbered from 1 to 12, but there are several that are named with the same letter. One of them, c.ps1, appears to be a clone of the Copy-VSS penetration testing tool.
Once a network has been compromised, hackers gain access to computers via the Remote Desktop Protocol (RDP) and use Windows Management Instrumentation (WMI) to install software and run PowerShell scripts. Sophos researchers noticed that attackers were also installing the Tor browser and a copy of the commercial remote desktop software Remote Utilities.
The ransomware encrypts all data in the target folders by adding the .epsilonred extension, sparing executable files or DLLs that can disrupt the operation of important programs or even the operating system.
Although the name and tools are unique to a given attacker, the ransom note on infected computers is similar to the note left by the REvil group. However, the Epsilon Red note includes a few minor grammatical corrections. No other similarities were found between Epsilon Red and REvil ransomware.
Based on the results of the analysis of the address of the attackers’ cryptocurrency wallet, it became known that at least one of the victims paid a ransom in the amount of 4.29 bitcoins (approximately $ 210,000) on May 15 of this year.
Catch up on more articles here
Follow us on Twitter here