New Epsilon Red Ransomware appears in the threat landscape

Researchers spotted a new piece of ransomware named Epsilon Red that was employed at least in an attack against a US company.

Researchers from Sophos spotted a new piece of ransomware, named Epsilon Red, that infected at least one organization in the hospitality sector in the United States. The name Epsilon Red comes from an adversary of some of the X-Men in the Marvel extended universe, it is a “super soldier” alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude. 

The security firm discovered that the address of the wallet provided by Epsilon Red operators to the US company was containing roughly $210,000 worth of Bitcoin, a circumstance that suggests that at least one victim paid the ransom.

The Epsilon Red ransomware was written in the Go programming language, it is human-operated ransomware, it is a multi-stage threat that involves PowerShell scripts.  

“During the attack, the threat actors launched a series of PowerShell scripts, numbered 1.ps1 through 12.ps1 (as well as some that just were named with a single letter from the alphabet), that prepared the attacked machines for the final ransomware payload and, ultimately delivered and initiated it.” reads the analysis published by Sophos.

Sophos researchers believe that an enterprise unpatched Microsoft Exchange server was the initial entry point, but it is still unclear if the attackers exploited the ProxyLogon exploit or another flaw. Then the attackers used WMI to install other software onto machines hosted in the targeted network. 

“The PowerShell orchestration was, itself, created and triggered by a PowerShell script named RED.ps1 that was executed on the target machines using WMI.” continues the analysis. “The script retrieves and unpacks into the system32 folder a .7z archive file that contains the rest of the PowerShell scripts, the ransomware executable, and another executable.”

Experts noticed that the ransom note dropped by Epsilon Red is similar to the used REvil ransomware operators, but with fewer grammatical errors

Experts noticed that the ransomware doesn’t contain a list of targeted file types, it encrypts every file in a folder and can potentially render the application and even the entire operating system becoming inoperable.

The ransomware itself is quite small as it only really is used to perform the encryption of the files on the targeted system. It makes no network connections, and because functions like killing processes or deleting the Volume Shadow Copies have been outsourced to the PowerShell scripts, it’s really quite a simple program.  

Once encrypted a file, the ransomware appends the “.epsilonred” extension to the filenames, and drops a ransom note in each folder.  

The ransomware leverages PowerShell scripts to modify firewall rules to allow the attackers’ remote connections, disable or kill processes that could lock file preventing encryption, delete the Volume Shadow Copy to prevent recovery of the files, uninstall security software, and delete Windows event logs, grant the “Everyone” group access permissions to every drive letter.

“Upon closer inspection, one of the first things the attackers did after gaining access to the target’s network was to download and install a copy of Remote Utilities and the Tor Browser, so this seems like a way to reassure themselves they will have an alternate foothold if the initial access point gets locked down.” continues the analysis.

The attackers used the Remote Utilities commercial solution to maintain access to compromised systems in case their initial entry point gets closed.

Researchers have not found any link between the Epsilon Red operators and other threat actors.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Epsilon Red ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]