New 'Epsilon Red' ransomware is hunting for unpatched Microsoft Exchange servers, researchers warn

It relies on several Powershell scripts before encrypting machines

Researchers from cyber security firm Sophos claim to have identified a new strain of Windows ransomware, dubbed 'Epsilon Red', which is targeting unpatched Microsoft Exchange servers to encrypt machines across corporate networks.

The new ransomware is the final executable payload in the attack, which relies on a dozen Powershell scripts (numbered from 1 to 12) before encrypting machines.

Epsilon Red was discovered last month during investigation of an attack on a US firm operating in the hospitality sector, Sophos principal researcher Andrew Brandt wrote in an online post last week.

Brandt revealed that the ransomware is a 64-bit Windows executable (named Red.exe) written in the Go programming language. It is compiled using the MinGW tool and packed with a modified version of the runtime packer UPX.

An analysis of Red.exe revealed that the programme also includes some code from the 'godirwalk' open-source project on GitHub, which allows it to scan the hard drive of the system on which it is running.

The name 'Epsilon Red' comes from the X-Men Marvel comics series, where an obscure enemy character - alleged to be of Russian origin - is armed with four mechanical tentacles. According to Brandt, those tentacles seem to represent the way the ransomware spreads its hooks into the targeted network.

The US firm which suffered the attack last month paid a ransom of 4.29 bitcoin on 15^th May, which was worth about $210,000 at the time.

"It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network," Brandt said.

"It isn't clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server," he added.

After gaining initial entry into Exchange server, the cyber actors used Windows Management Instrumentation (WMI) to install other software onto machines inside the network, Brandt said.

There are clues suggesting that REvil ransomware operatives may be behind the Epsilon Red ransomware. The message left by threat actors on infected machines resembles the ransom note of REvil ransomware gang. However, it also adds some minor grammatical corrections making it comprehensible to native English speakers.

The tools used in Epsilon Red attacks appeared to be unique to the threat actors, and no other similarities to the REvil attack vector were observed by the researchers.

REvil, also known as Sodinokibi or Sodin, is a ransomware operation that breaches companies networks using spam, exploits, exposed remote desktop services and hacked managed service providers (MSPs). The gang primarily focuses on big firms and avoids targeting consumers.

Like almost all other ransomware groups operating today, REvil also runs a ransomware-as-a-service (RaaS) operation, in which developers sell malware to affiliates who use it to encrypt the devices of target organisations.

According to Brandt, the best way to prevent ransomware such as Epsilon Red or REvil from infecting networks is to ensure that servers are fully patched and that security solutions installed on systems are able to block any suspicious activity.