A New Ransomware named “Epsilon Red” is hunting for Unpatched Exchange Servers Vulnerabilities.

Security researchers from Sophos has uncovered the new ransomware which was written in Go programming language and calls itself “Epsilon Red”. The researcher has confirmed that this executable had been delivered has a final executable after the serious of PowerShell Scripts.

Additionally the researchers stated “It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network. It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server. From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server.”

Below snapshot from Sophos analysis shows the series of PowerShell scripts numbered 1.ps1 through 12.ps and other single letter scripts where used to prepare the victim machines for the final ransomware payload.

Pic courtesy: SophosLabs

“In the sample we’ve seen, it doesn’t even contain a list of targeted file types or file extensions. In fact, it will encrypt everything inside the folders it decides to encrypt, including other executables and DLLs, which can render programs or the entire system nonfunctional, if the ransomware decides to encrypt the wrong folder path. After it encrypts each file, it appends a file suffix of “.epsilonred” to the files, and drops a ransom note in each folder”

Pic courtesy : Sophoslabs

Additionally Sophoslabs has released the Indicators of compromise which can be utilized by the organizations for incorporating on their security controls.

–-For more Cyber security news in crisp content . Please follow our site

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s