This new ransomware is threatening unpatched Microsoft Exchange servers
In a detailed post, Sophos analysts revealed that the ransomware is written in the Go programming language, naming itself Epsilon Red.
Based on the crypto address provided by the attackers, Sophos believes at least one of Epsilon Red's victims paid a ransom of 4.29 BTC (Bitcoin) on May 15, or about $210,000.
'It appears that an enterprise Microsoft Exchange server is the first place attackers break into the corporate network. It's not clear if this was triggered by the ProxyLogon exploit or another vulnerability, but it seems the root cause is an unpatched server," said Andrew Brandt, principal researcher at Sophos.
This new ransomware is threatening unpatched Microsoft Exchange servers Picture 1
According to Sophos, during the attack, to prepare the attacked machines for the eventual ransomware, the threat actors launch a series of PowerShell scripts. For example, attackers delete Volume Shadow copies to ensure encrypted machines cannot be recovered before distributing and launching the ransomware.
The ransomware itself is quite small and only really encrypts files, as all other aspects of the attack are performed by PowerShell scripts.
The ransomware's executable file contains some code, the researchers note, from an open source project called godirwalk that scans the drive and compiles it into a list.
Perhaps the strangest thing about the entire campaign is that Epsilon Red's ransom note "closely resembles" the note given by the attackers behind the REvil ransomware, although the grammar has been adjusted to similar to native English.
You should read it
- What is Epsilon Red Ransomware?
- Microsoft Exchange server hacked by LockFile ransomware
- 7 kinds of ransomware you didn't expect
- LockBit Ransomware takes advantage of Microsoft Defender itself to infect
- How to get Epsilon secret outfits in GTA Online
- Introducing Exchange Server 2019, how to install Exchange Server 2019
- List of the 3 most dangerous and scary Ransomware viruses
- The attack on Microsoft Exchange increased while WannaCry showed signs of return
- Ransomware can encrypt cloud data
- Microsoft continues to 'delay' the plan to launch a new version of Exchange Server for another 4 years
- General guidelines for decoding ransomware
- What is Ransomware Task Force (RTF)?
May be interested
What malicious code is designed to spread through IoT devices?
Warning: Microsoft and Google Clouds are being abused to launch large-scale phishing campaigns
What are FragAttacks? how to protect your WiFi device from FragAttacks
Wi-Fi Vulnerability Leads to FragAttacks Attacks
Detected critical zero-day vulnerability on Adobe Reader
All Wifi Devices Can Be Attacked by FragAttacks Vulnerabilities