Epsilon Network: ransomware that encrypts Exchange servers using a known vulnerability. Update now

Specialists from cybersecurity firm Sophos have revealed the detection of a new variant of ransomware hidden in a set of PowerShell scripts that abuse flaws present in unpatched Microsoft Exchange servers. Identified as Epsilon Red, this variant of encryption malware has already been detected in multiple attacks against US-based hotel companies.

One of the victims of these attacks had to pay a ransom of almost 5 Bitcoin, which according to the current exchange rate is equivalent to almost 210 thousand dollars.

The name of this malware was revealed by the attackers themselves, and was taken from the Marvel’s X-Men comic book series. In this fictional story, Epsilon Red is a genetically modified Russian soldier. This seems to be an analogy to the way this malware can spread across a corporate network.

Like other ransomware variants, this is a Windows 64 executable written in Go language, although the method employed for its delivery may be somewhat more complex than common: “This malware relies on a series of PowerShell scripts in order to prepare the target system for the delivery of the final payload” , the report states.

Sophos believes that this malware is linked to the developers of REvil, since the ransom note recovered in the Epsilon Red attacks detected so far is very similar to the one seen in the most relevant REvil attacks, although correcting some grammatical flaws. Still, the researchers specify that no other similarities have been found between these two malicious developments.

As mentioned at the beginning, hackers use a Microsoft Exchange implementation as an entry point to attacked systems, abusing Windows Management Instrumentation to automate actions on the operating system. It’s still unclear whether hackers exploited the well-known Exchange PorxyLogon vulnerability, which created countless issues for Windows administrators during the early months of 2021. However, the un-updated server used in one of the detected attacks was the target of this attack.

In this attack, the threat actors released a series of PowerShell scripts, as well as some that were named with a single letter of the alphabet, to prepare the attacked machines for the final payload. Finally, experts point out that the executable is a tiny file dedicated only to the encryption of infected files, so it does not perform network connections or any other critical function.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.