Sophos security researchers announced on Friday, May 28, the detection of a new ransomware called Epsilon Red, following a successful attack on a US hospitality company. Delivered as a final executable payload in a manually controlled attack, the ransomware demanded a payment of 4.29 bitcoin.
According to Sophos, the name and tools of the ransomware attack were unique to the attackers. Although the ransom note resembled the standard message left by the well-known REvil ransomware gang, there were grammatical changes. The gateway was a Microsoft Exchange enterprise server. “It is not clear if this was enabled by the ProxyLogon exploit or another vulnerability, but the root cause was likely an unpatched server.
According to the cybersecurity firm Malwarebytes, ransomware is a cyber threat that is on the rise, which is designed to block victims’ files and / or devices, to later demand a ransom in cryptocurrencies to decrypt them and restore access. In the middle of this May, the analysis firm Elliptic reported that another ransomware group, called DarkSide, managed to raise 90 million dollars in cryptocurrencies, from extortions carried out in a period of nine months. Elliptic obtained this information after identifying 47 Bitcoin addresses associated with the attacking entity.
Epsilon Red begins by killing the processes and services of security tools, databases, backup programs, Microsoft Office applications and email clients, the ransomware deletes all Volume Shadow Copies. The ransomware then steals the Security Account Manager file containing password hashes, deletes Windows event logs, and disables Windows Defender. Finally, suspend the processes, uninstall the security tools and expand the system permissions.
After getting rid of any impediments, Epsilon Red uses Windows Management Instrumentation to install software and run PowerShell scripts that then deploy the main ransomware executable. After this process, what we all already know happens. The executable encrypts the files and steals the data, the victims of the attack are informed and a ransom is demanded.
Check also:
Zeppelin Ransomware targetting large companies
NoCry new ransomware inspired by WannaCry
