Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
SystemThis new ransomware is threatening unpatched Microsoft Exchange servers
Cybersecurity researchers have witnessed a never-before-seen series of Windows ransomware that can infect an unpatched Microsoft Exchange email server and the network of a US-based hotel business.
In a detailed post, Sophos analysts revealed that the ransomware is written in the Go programming language, naming itself Epsilon Red.
Based on the crypto address provided by the attackers, Sophos believes at least one of Epsilon Red's victims paid a ransom of 4.29 BTC (Bitcoin) on May 15, or about $210,000.
'It appears that an enterprise Microsoft Exchange server is the first place attackers break into the corporate network. It's not clear if this was triggered by the ProxyLogon exploit or another vulnerability, but it seems the root cause is an unpatched server," said Andrew Brandt, principal researcher at Sophos.
According to Sophos, during the attack, to prepare the attacked machines for the eventual ransomware, the threat actors launch a series of PowerShell scripts. For example, attackers delete Volume Shadow copies to ensure encrypted machines cannot be recovered before distributing and launching the ransomware.
The ransomware itself is quite small and only really encrypts files, as all other aspects of the attack are performed by PowerShell scripts.
The ransomware's executable file contains some code, the researchers note, from an open source project called godirwalk that scans the drive and compiles it into a list.
Perhaps the strangest thing about the entire campaign is that Epsilon Red's ransom note "closely resembles" the note given by the attackers behind the REvil ransomware, although the grammar has been adjusted to similar to native English.
- Transfer Exchange 2003 to Exchange 2007 (Part 3)
- The threat of ransomware is threatening businesses
- 7 kinds of ransomware you didn't expect
- PureLocker - a very 'weird' ransomware strain that can encrypt servers
- Balancing download of Exchange 2007 SP1 Hub Transport servers with Windows Network Load Balancing (Part 1)
- Detecting a new ransomware strain, not asking for data ransom, but only needing the victim to join the Hacker's Discord server
- Cr1ptT0r Ransomware spreads on D-Link NAS devices, targeting embedded systems
- Protect your computer right before the return of two extremely dangerous ransomware
- Microsoft is preparing to release a series of new security holes
- 14-year-old Japanese boy was arrested for creating ransomware
- Windows SMB users should close some ports to prevent WannaCry
- Is Ransomware Annabelle scary with Annabelle movies?
- New variant of ransomware Arena Crysis appeared
- Instructions for using email manager Nylas N1
- Prevent WannaCry variants by turning off this Windows 10 installation
- Bad Rabbit - Petya's new ransomware spreads throughout Eastern Europe
-
Can a VPN Protect You From Ransomware? - Paradise ransomware source code shared on hacker forum
- List of the 3 most dangerous and scary Ransomware viruses
- How to decode Stupid Ransomware with StupidDecrypter
- General guidelines for decoding ransomware
- Protect your computer right before the return of two extremely dangerous ransomware
Can a VPN Protect You From Ransomware? 
Paradise ransomware source code shared on hacker forum 
List of the 3 most dangerous and scary Ransomware viruses 
How to decode Stupid Ransomware with StupidDecrypter 
General guidelines for decoding ransomware 
Protect your computer right before the return of two extremely dangerous ransomware 
Technology story
Technology comments
Quiz technology
New technology
British talent technology
Attack the network
Artificial intelligence
Mac OS X
Hardware
Game