Researchers at Sophos report finding a new ransomware strain in the wild. They call it “Epsilon Red.” The malware is written in GO, and it was delivered as the final executable payload in a hand-controlled attack against a target in the US hospitality sector.
“It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network,” Sophos said. “It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server. From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server.”
Why Epsilon Red? Sophos shares the etymology, which may be news for any not fully au courant with the Marvel universe. In this case the name comes from the threat actors themselves.
“The name Epsilon Red, like many coined by ransomware threat actors, is a reference to pop culture. The character Epsilon Red was a relatively obscure adversary of some of the X-Men in the Marvel extended universe, a ‘super soldier’ alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude.”
While the campaign uses complex layers of deception, the ransomware proper is, Sophos says, “barebones.” It’s a 64-bit Windows executable, and all it does is encrypt the files in the target system. Other functions, like communication, deleting shadow copies, killing processes, and so forth, have been, according to the researchers, “outsourced” to the PowerShell scripts. The whole Red Epsilon package performs these actions against its targets:
- It kills processes and services for security tools, databases, backup programs, Office apps, and email clients.
- It deletes Volume Shadow Copies.
- It steals password hashes contained in the Security Account Manager file.
- It deletes Windows Event Logs.
- It disables Windows Defender.
- It suspends selected processes.
- It uninstalls security tools (included tools by Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, and Webroot).
- Finally, it expands permissions on the system.
Vulnerable Microsoft Exchange Server instances have been Epsilon Red's point of entry into victim networks. Patching and other cyber hygiene essentials are matters for human operators, and the more aware, the more alert they are to the consequences of lapses, the better for their organization’s security. New-school security awareness training is never a bad idea.
Sophos has the story.