Quote:Threat actors have deployed new ransomware on the back of a set of PowerShell scripts developed for making encryption, exploiting flaws in unpatched Exchange Servers to attack the corporate network, according to recent research.
Researchers from security firm Sophos detected the new ransomware, called Epsilon Red, in an investigation of an attack on a U.S.-based company in the hospitality sector, Sophos Principal Researcher Andrew Brandt wrote in a report published online.
The name – coined by the attackers themselves, who may be the same crew behind the REvil ransomware – is a reference to an obscure enemy character in the X-Men Marvel comics. The character is a “‘super soldier’ alleged to be of Russian origin” armed with four mechanical tentacles – which seems to represent the way the ransomware spreads its hooks into a corporate network, Brandt wrote.
While the malware itself is a “bare-bones” 64-bit Windows executable programmed in the Go programming language, its delivery system is a bit more sophisticated, relying on a series of PowerShell scripts that “prepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it,” he wrote.
The potential link to the REvil group came in the ransom note left on infected computers, which “resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections” that make it more readable to native English speakers, Brandt wrote. However, the name of the ransomware and the tooling appeared to be unique to the particular attacker, and there were no further similarities to the typical REvil attack vector.
The victim in the attack observed by Sophos ended up paying a ransom of 4.29 Bitcoin on May 15, the equivalent of about $210,000 at that time, according to the report.
Read more: Exchange Servers Targeted by ‘Epsilon Red’ Malware | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
