A New Threat Emerges as Epsilon Red Ransomware Aims for Microsoft Vulnerabilities

You are currently viewing A New Threat Emerges as Epsilon Red Ransomware Aims for Microsoft Vulnerabilities

Epsilon Red Ransomware is an explosive newcomer to the malware and ransomware scene and has been seen leveraging Microsoft Exchange server vulnerabilities to encrypt machines across the network. Epsilon Red Ransomware attacks rely on several scripts before reaching the encryption stage, and the strain is also notable for using a commercial remote desktop utility. Incident responders at cybersecurity company Sophos discovered the new Epsilon Red ransomware over the past week while investigating an attack at a fairly large U.S. company in the hospitality sector.

The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange server. Andrew Brandt, principal researcher at Sophos, says in a report today that the attackers may have leveraged the ProxyLogon set of vulnerabilities to reach machines on the network.

The ProxyLogon bugs have been widely publicized as hackers jumped at the occasion and started to scan the web for vulnerable devices and compromise the systems.

On March 2, Microsoft released critical security updates for four crucial zero-day vulnerabilities discovered in Exchange Servers and reported that the exploits are being actively exploited by an actor called HAFNIUM, a state-sponsored group operating out of China.

Within one week, at least 30,000 U.S. organizations and hundreds of thousands of organizations worldwide have fallen victim to an automated campaign run by HAFNIUM that provides the attackers with remote control over the affected systems.

Researches at Radware have listed the Proxy Logon exploits as follows:

CVE-2021-26855: SERVER SIDE REQUEST FORGERY
The Server-Side Request Forgery (SSRF) vulnerability provides a remote actor with admin access by sending a specially crafted web request to a vulnerable Exchange Server. The web request contains an XML SOAP payload directed at the Exchange Web Services (EWS) API endpoint. The SOAP request bypasses authentication using specially crafted cookies and allows an unauthenticated, remote actor to execute EWS requests encoded in the XML payload and ultimately perform operations on users’ mailboxes. This vulnerability, combined with the knowledge of a victim’s email address, means the remote actor can exfiltrate all emails from the victim’s Exchange mailbox.

Organizations that received this letter were companies that received threats in August and September of 2020. Analysis of this new wave of ransom letters suggests that the same threat actors from the middle of 2020 are behind these malicious communications.

CVE-2021-26857: REMOTE CODE EXECUTION VULNERABILITY
A post-authentication insecure deserialization vulnerability in the Unified Messaging service of a vulnerable Exchange Server allows commands to be run with SYSTEM account privileges. The SYSTEM account is used by the operating system and services that run under Windows. By default, the SYSTEM account is granted full control permissions to all files. A malicious actor can combine this vulnerability with stolen credentials or with the previously mentioned SSRF vulnerability to execute arbitrary commands on a vulnerable Exchange Server in the security context of SYSTEM.

CVE-2021-26858 AND CVE-2021-27065
Both of these post-authentication arbitrary file write vulnerabilities allow an authenticated user to write files to any path on a vulnerable Exchange Server. A malicious actor could leverage the previously mentioned SSRF vulnerability to achieve admin access and exploit this vulnerability to write web shells to virtual directories (VDirs) published to the internet by the server’s Internet Information Server (IIS). IIS is Microsoft’s web server, a dependency that is installed with Exchange Server and provides services for Outlook on the web, previously known as Outlook Web Access (OWA), Outlook Anywhere, ActiveSync, Exchange Web Services, Exchange Control Panel (ECP), the Offline Address Book (OAB) and Autodiscover.

Epsilon Red Ransomware Analysis

Note: The Analysis of Epsilon Red Ransomware has been carried out by Sophos and BleepingComputer.

Epsilon Red Ransomware is written in Golang (Go) and is preceded by a set of unique PowerShell scripts that prepare the ground for the file-encryption routine, each having a specific purpose:

  • kill processes and services for security tools, databases, backup programs, Office apps, email clients
  • delete Volume Shadow Copies
  • steal the Security Account Manager (SAM) file containing password hashes
  • delete Windows Event Logs
  • disable Windows Defender
  • suspend processes
  • uninstall security tools (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot)
  • expand permissions on the system
  • Most of the scripts are numbered 1 through 12 but there are a few that are named as a single letter. One of these, c.ps1, seems to be a clone of the penetration testing tool Copy-VSS.
Epsilon Red Ransomware
Powershell scripts before Epsilon Red Ransomware takes hold

After breaching the network, the hackers reach machines over RDP and use Windows Management Instrumentation (WMI) to install software and run PowerShell scripts that ultimately deploy Epsilon Red Ransomware executable.

Sophos researchers noticed that the threat actor also installs a copy of Remote Utilities – a commercial software for remote desktop operations, and the Tor Browser. This move is to ensure that they still have a door open if they lose access through the initial entry point.

The ransomware itself, called RED.exe, is a 64-bit Windows executable programmed in the Go language, compiled using a tool called MinGW, and packed with a modified version of the runtime packer UPX.

The executable contains some code taken from an open source project called godirwalk, which gives it the ability to scan the hard drive on which it’s running for directory paths and compile them into a list. The ransomware then spawns a new child process that encrypts each subfolder separately, which after a short amount of time results in a lot of copies of the ransomware process running simultaneously.

Epsilon Red Ransomware Root Cause Analysis Diagram from Sophos

Epsilon Red Ransomware itself is quite small as it only really is used to perform the encryption of the files on the targeted system. It makes no network connections, and because functions like killing processes or deleting the Volume Shadow Copies have been outsourced to the PowerShell scripts, it’s really a simple program.  

In the sample Sophos saw, it doesn’t even contain a list of targeted file types or file extensions. In fact, it will encrypt everything inside the folders it decides to encrypt, including other executables and DLLs, which can render programs or the entire system nonfunctional, if the ransomware decides to encrypt the wrong folder path. After it encrypts each file, it appends a file suffix of “.epsilonred” to the files, and drops a ransom note in each folder.  

Strangely enough, the Epsilon Red Ransomware note closely resembles the note used by REvil, a much more widely used ransomware. But where the REvil note is typically riddled with spelling and grammatical errors, the note delivered by Epsilon Red Ransomware has gone through a few edits to make its text more readable to an audience of native English speakers. 

Epsilon Red Ransomware Note

Victims are encouraged to visit a special URL on a website operated on the normal web (epsilons[.]red) to engage with the attackers. 

Protection

Epsilon Red Ransomware is just one of many new malware strains being produced and developed almost daily. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply