This new ransomware is threatening unpatched Microsoft Exchange servers

In a detailed post, Sophos analysts revealed that the ransomware is written in the Go programming language, naming itself Epsilon Red.

Based on the crypto address provided by the attackers, Sophos believes at least one of Epsilon Red's victims paid a ransom of 4.29 BTC (Bitcoin) on May 15, or about $210,000.

'It appears that an enterprise Microsoft Exchange server is the first place attackers break into the corporate network. It's not clear if this was triggered by the ProxyLogon exploit or another vulnerability, but it seems the root cause is an unpatched server," said Andrew Brandt, principal researcher at Sophos.

According to Sophos, during the attack, to prepare the attacked machines for the eventual ransomware, the threat actors launch a series of PowerShell scripts. For example, attackers delete Volume Shadow copies to ensure encrypted machines cannot be recovered before distributing and launching the ransomware.

The ransomware itself is quite small and only really encrypts files, as all other aspects of the attack are performed by PowerShell scripts.

The ransomware's executable file contains some code, the researchers note, from an open source project called godirwalk that scans the drive and compiles it into a list.

Perhaps the strangest thing about the entire campaign is that Epsilon Red's ransom note "closely resembles" the note given by the attackers behind the REvil ransomware, although the grammar has been adjusted to similar to native English.