Epsilon Red Ransomware

By Mezo in Ransomware

Translate To:

A new attack campaign is leveraging vulnerabilities in Microsoft Exchange servers to deploy a ransomware threat named Epsilon Red. The Epsilon Red Ransomware was discovered by researchers while investigating an attack against a U.S. hospitality company. It is believed that the hackers rely on the ProxyLogon set of vulnerabilities to reach machines on the network. This particular set of exploits was deemed to be extremely severe with estimates showing in less than a month nearly 92% of the vulnerable on-premise Microsoft Exchange servers were patched with the security update addressing the issue. However, as the Epsilon Red Ransomware campaign shows, hackers are still finding unsecured targets to exploit.

Attack Characteristics

Before the Epsilon Red is delivered to the breached system and the encryption routine is engaged, the threat actors deliver a substantial number of scripts, each performing a different task. Among these tasks are deleting the Shadow Volume Copies, killing various processes and services associated with security products, databases, backup programs, etc., deleting Windows Event Logs, disabling Windows Defender, outright uninstalling certain security tools, stealing the SAM (Security Account Manager) file that contains password hashes and more. One of the dropped scripts appears to be a copy of a penetration testing tool named Copy-VSS.

The hackers also deploy a copy of a commercial remote access program named Remote Utilities, as well as the Tor browser on the compromised systems. The hackers more than likely plan to use these as a backup access point.

The Epsilon Red Ransomware Encrypts Indiscriminately

The Epsilon Red Ransomware is written in the Golang (Go) language and appears to lack the polish usually found in the work of professional malware coders. Furthermore, the Epsilon Red will encrypt any files it finds even if they are essential executables and DLLs that could cause system crashes if tampered with. Every encrypted file will have '.epsilonred' attached to its original name as a new extension. The threat will then deliver its ransom note with a copy of the instructions created in each folder containing locked data.

It should be noted that Epsilon Red uses a variation of the ransom note dropped by the REvil Ransomware threat. The main difference is that the hackers behind Epsilon Red have taken the time to clean up some of the grammar and spelling mistakes found in the original note.

Despite being active for a relatively short amount of time, the Epsilon Red hackers have already launched attack campaigns against several different targets and may have already collected a ransom of 4.28 BTC (Bitcoin) which was around $210,000 at the time.

Registry Details

Epsilon Red Ransomware may create the following registry entry or registry entries:

Regexp file mask

%windir%\system32\red\[RANDOM CHARACTERS].ps1

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

Epsilon Red Ransomware

Registry Details

Submit Comment

Trending

Safe Search Eng

Findtheirreport.com

MarioLocker Ransomware

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen