[BreachExchange] New Epsilon Red Ransomware Attack Unpatched Microsoft Exchange Servers

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Thu Jun 3 16:39:42 EDT 2021


https://gbhackers.com/psilon-red-targeting-unpatched-microsoft-exchange-servers/

Epsilon Red is a set of distinctive PowerShell scripts that were being
developed for making encryption. During an investigation of an unnamed
attack that happened on a U.S. company in the hospitality sector, the
security analysts of Sophos have detected a new malware.

According to the security experts, the threat actors of this new ransomware
named Epsilon Red, and are continuously exploiting the vulnerabilities in
Microsoft Exchange servers.

However, the analysts also affirmed that the main motive of the threat
actors of Epsilon Red was to compromise computer systems and then encrypt
all the possible data.

Apart from all these the analysts are trying their best to know all the key
details of this ransomware, as currently, they don’t know if hackers have
exploited ProxyLogon vulnerabilities or not to access the devices.

Targeting the vulnerable Microsoft Exchange server

The hackers have entered the corporate network by using the vulnerabilities
that are present in the local Microsoft Exchange server. Epsilon Red is
written in the Golang (Go) language, which contains a set of PowerShell
scripts that makes the device for file encryption.

The chief researcher of Sophos has pronounced in a report that the threat
actors might have leveraged the ProxyLogon set of vulnerabilities to reach
machines on the network, but they are not confirmed about it and are trying
to find the key details accordingly.

The ProxyLogon bugs have become quite popular among the hackers and it is
being attacked widely by several threat actors, as this bug helps the
hackers to scan the web for vulnerable devices and then they can easily
compromise the system.

Bare-bones ransomware

Bare-bone ransomware is quite popular, and it is known for its 64-bit
Windows executable program that is available in the Go language.

Moreover, this ransomware is also known as RED.exe. (a 64-bit Windows
executable) and the researchers have closely observed that this ransomware
uses a tool named MinGW in its operation.

Apart from this, the Bare-bones ransomware is critical in nature, because
they use the tool MinGW that is stuffed with all advanced versions of the
runtime packer UPX.

A unique set of tools

The Epsilon red ransomware is packed with a set of unique tools that have a
different purpose, and here we have mentioned them below:


   - kill processes and services for security tools, databases, backup
   programs, Office apps, email clients
   - delete Volume Shadow Copies
   - steal the Security Account Manager (SAM) file containing password
   hashes
   - delete Windows Event Logs
   - disable Windows Defender
   - suspend processes
   - uninstall security tools (Sophos, Trend Micro, Cylance, MalwareBytes,
   Sentinel One, Vipre, Webroot)
   - expand permissions on the system


Note model of REvil ransom

However, the Epsilon Red ransomware does not resemble to be the work of
professionals, but ill, stit might cause a huge mess as it appears with no
restrictions for encrypting different types of files and folders.

This ransomware smoothly encrypts everything from the targeted folders that
are attached to the suffix or extension “.epsilonred”.

The investigation of the security analysts also asserts that the
instructions that were used in this ransomware attack seem familiar, as the
threat actors have used the same spruced-up version of the ransom note that
was used in the REvil ransomware.

During their investigation, the security researchers have discovered that
on May 15 one of the victims of this ransomware has already paid a hefty
amount of 4.28 BTC which is about $210,000 to the hackers behind this
ransomware.

Apart from this, the most interesting fact of this ransomware is that it
does not spare executables or DLLs that could easily break into important
programs and also in the operating system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210603/26c5bdde/attachment.html>


More information about the BreachExchange mailing list