Jump to content
  • This new ransomware is targeting unpatched Microsoft Exchange servers


    Karlston

    • 930 views
    • 2 minutes
     Share


    • 930 views
    • 2 minutes

    This new ransomware is targeting unpatched Microsoft Exchange servers

    Campaign has already made over $200,000

     

    Cybersecurity researchers have witnessed a never-seen-before strain of Windows ransomware that was able to compromise an unpatched Microsoft Exchange email server and make its way into the networks of a US-based hospitality business.

     

    In a detailed post, analysts from Sophos revealed that the ransomware written in the Go programming language calls itself Epsilon Red. 

     

    Based on the cryptocurrency address provided by the attackers, Sophos believes that at least one of the victims of the Epsilon Red paid a ransom of 4.29BTC on May 15th, or about $210,000.

     

    “It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network. It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server,” writes Sophos principal researcher Andrew Brandt.

    Powershell ransomware

    Once Epsilon Red has made its way into a machine, it engages Windows Management Instrumentation (WMI) to install other software on any machine inside the network it can access from the Exchange server. 

     

    Sophos shares that during the attack, the threat actors launch a series of PowerShell scripts, to prep the attacked machines for the final ransomware. This includes, for example, deleting the Volume Shadow copies, to ensure that encrypted machines can’t be restored, before ultimately delivering and initiating the actual ransomware itself.

     

    The ransomware itself is quite small and only really encrypts the files, since all other aspects of the attack are conducted by the PowerShell scripts.

     

    The researchers note that the ransomware’s executable contains some code they’ve lifted from an open source project called godirwalk, in order to scan the drive and compile it into a list.

     

    Perhaps the strangest aspect of the entire campaign is that Epsilon Red’s ransom note “closely resembles” the one dropped by the threat actors behind the REvil ransomware, albeit a bit more grammatically refined to make sense to native English speakers.

     

     

    This new ransomware is targeting unpatched Microsoft Exchange servers


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...