Sophos discovered new stripped-down ransomware called Epsilon Red that offloads most of its functionality to a series of PowerShell scripts. It was delivered as the final executable payload in a hand-controlled attack against a US-based business in the hospitality industry in which every other early-stage component was a PowerShell script. Based on the cryptocurrency address provided by the attackers, it appears that at least one of their victims paid a ransom of 4.29BTC on May 15th (valued at roughly $210,000 on that date).
While the name and the tooling were unique to this attacker, the ransom note left behind on infected computers resembles the message by REvil ransomware but adds a few minor grammatical corrections. There were no other apparent similarities between the Epsilon Red ransomware and REvil.
Sophos found that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the network, likely due to an unpatched server. The attackers used WMI to install software onto devices inside the network that they could reach from the Exchange server from that machine.
Like many coined by ransomware threat actors, the name Epsilon Red is a reference to pop culture. A relatively obscure adversary of the X-Men in the Marvel extended universe, Epsilon Red was a “super soldier” of Russian origin, sporting four mechanical tentacles and a lousy attitude.
During the attack, the threat actors launched a series of PowerShell scripts. These include:
- A script that executes a command to delete Volume Shadow Copies from the infected computer to make it harder for the target to recover some or all of the files encrypted by the attackers
- A script to uninstall various security and backup programs that might be present on the infected computer. It looks for specific programs and anything with the words "Backup" or "Cloud" in the title bar and then attempts to kill and uninstall it. The attackers also try to disable or kill processes that, if they were running, might prevent complete encryption of valuable data on the hard drive. Examples of this include database services, backup programs, office applications, email clients, QuickBooks, and even the Steam gaming platform
- A script that appears to be a clone of an open-source tool called Copy-VSS, which an attacker could use to retrieve and crack passwords saved on the computer, according to Sophos researchers
- According to Sophos researchers, a script appears to be a compiled version of the open-source tool, EventCleaner, created to erase or manipulate the contents of Windows event logs. The attackers used it to remove evidence of what they had done.
Peter Mackenzie, manager of the Sophos Rapid Response team, said: “Epsilon Red is the intriguing new ransomware. The actual ransomware file itself is very pared down, probably because it has offloaded other tasks, such as deleting backups, to the PowerShell scripts. It is only used for file encryption, and it doesn’t precision-target assets: if it decides to encrypt a folder, it will encrypt everything inside that folder. Unfortunately, this can mean other executables and dynamic link libraries (DLLs) are encrypted, which can disable critical running programs or the entire system. As a result, the attacked machine will need to be rebuilt entirely.
“Sophos’ analysis of the attackers’ behavior suggests they may lack confidence in the reliability of their tools or the potential success of their attack, so they implement alternative options and backup plans in case things fail. For instance, early on in the attack sequence, the operators download and install a copy of Remote Utilities and the Tor Browser, possibly to ensure an alternate foothold if the initial access point gets locked down. In other cases, we see the operators issue redundant commands that use a slightly different method to accomplish the same goal, such as deleting processes and backups. The best way to prevent ransomware such as Epsilon Red from taking hold is to ensure servers are fully patched and that your security solution can detect and block any suspicious behavior and attempted file encryption.”
To learn more about Epsilon Red, read the article on SophosLabs Uncut.
Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks. The CryptoGuard feature blocks the act of attempting to encrypt files.