This new ransomware is threatening unpatched Microsoft Exchange servers
In a detailed post, Sophos analysts revealed that the ransomware is written in the Go programming language, naming itself Epsilon Red.
Based on the crypto address provided by the attackers, Sophos believes at least one of Epsilon Red's victims paid a ransom of 4.29 BTC (Bitcoin) on May 15, or about $210,000.
'It appears that an enterprise Microsoft Exchange server is the first place attackers break into the corporate network. It's not clear if this was triggered by the ProxyLogon exploit or another vulnerability, but it seems the root cause is an unpatched server," said Andrew Brandt, principal researcher at Sophos.
According to Sophos, during the attack, to prepare the attacked machines for the eventual ransomware, the threat actors launch a series of PowerShell scripts. For example, attackers delete Volume Shadow copies to ensure encrypted machines cannot be recovered before distributing and launching the ransomware.
The ransomware itself is quite small and only really encrypts files, as all other aspects of the attack are performed by PowerShell scripts.
The ransomware's executable file contains some code, the researchers note, from an open source project called godirwalk that scans the drive and compiles it into a list.
Perhaps the strangest thing about the entire campaign is that Epsilon Red's ransom note "closely resembles" the note given by the attackers behind the REvil ransomware, although the grammar has been adjusted to similar to native English.
You should read it
- What is Epsilon Red Ransomware?
- Microsoft Exchange server hacked by LockFile ransomware
- 7 kinds of ransomware you didn't expect
- LockBit Ransomware takes advantage of Microsoft Defender itself to infect
- How to get Epsilon secret outfits in GTA Online
- Introducing Exchange Server 2019, how to install Exchange Server 2019
- List of the 3 most dangerous and scary Ransomware viruses
- The attack on Microsoft Exchange increased while WannaCry showed signs of return
- Ransomware can encrypt cloud data
- Microsoft continues to 'delay' the plan to launch a new version of Exchange Server for another 4 years
- General guidelines for decoding ransomware
- What is Ransomware Task Force (RTF)?
Maybe you are interested
Detecting a new ransomware strain that specializes in stealing login information from the Chrome browser
What is extortionware? How is it different from Ransomware?
New ransomware appears attacking Windows operating system
Difference between Cyber Extortion and Ransomware
How to enable ransomware restrictions on Windows
How to configure a firewall to block the WannaCry ransomware attack