A new ransomware strain has been discovered that uses vulnerabilities in Microsoft Exchange servers to encrypt computers on enterprise networks.
The new ransomware threat, which calls itself Epsilon Red, was spotted by researchers at Sophos while investigating a hand-controlled attack against a US-based business in the hospitality industry.
The attackers compromised the company’s network by exploiting unpatched vulnerabilities in on-premise Microsoft exchange server, although researchers were not able to determine whether hackers used the ProxyLogon exploit or another vulnerability.
Once gaining access to the server, the attackers used WMI to install other software onto machines inside the network that they could reach from the compromised Exchange server.
Epsilon Red is written in Golang and uses a set of unique PowerShell scripts that prepare the ground for the file-encryption routine. Each PowerShell script has its own purpose ranging from killing processes and services for security tools, databases, backup programs to disabling Windows Defender and uninstalling security tools, such as Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot.
“The ransomware itself is quite small as it only really is used to perform the encryption of the files on the targeted system. It makes no network connections, and because functions like killing processes or deleting the Volume Shadow Copies have been outsourced to the PowerShell scripts, it’s really quite a simple program,” Sophos said.
While most of the PowerShell scripts are numbered from 1 to 12, a few of them are named as a single letter. One of these, c.ps1, appears to be a clone of the penetration testing tool Copy-VSS.
“Upon closer inspection, one of the first things the attackers did after gaining access to the target’s network was to download and install a copy of Remote Utilities and the Tor Browser, so this seems like a way to reassure themselves they will have an alternate foothold if the initial access point gets locked down,” the researchers said.
Sophos noted that the ransomware note used by Epsilon Red resembles the note left behind by REvil ransomware with a few minor grammatical corrections, however, the researchers did not find any other similarities between Epsilon Red and REvil.
Despite being newcomers, operators behind the Epsilon Red ransomware have already attacked several companies and based on the cryptocurrency address provided by the attackers, it seems that at least one of their victims paid a ransom of 4.29BTC on May 15th (~$210,000).