According to the ransom note, bad actors may be behind a series of PowerShell scripts used as a weapon to exploit vulnerabilities in corporate networks, according to Threat Post.
Threat actors have released new ransomware based on a series of PowerShell scripts designed for encryption and exploiting gaps in unpatched Exchange Servers generally used in corporate network.
Sophos researchers discovered the new ransomware, known as Epsilon Red while investigating an attack on a US hotel company, Sophos Principal Researcher Andrew Brandt wrote in a post published online.
The name is a reference to an obscure adversarial character in the Marvel’s X-Men and was coined by the attackers themselves. According to Brandt, the character is a super soldier of Russian origin armed with four mechanical tentacles, that seems to illustrate how the ransomware spreads its hooks throughout an enterprise network.
While the virus itself is a simple 64-bit Windows executable written in Go, its spreading strategy is more sophisticated and depends on a series of PowerShell scripts to prepare infected PCs for the final ransomware payload and then distribute and initiate it, he added.
There are clues indicating that the same hacker is behind REvil ransomware.The message left on infected devices resembles the note left by the REvil ransomware but adds some minor grammatical corrections that make it more understandable to native English speakers, Brandt said. However, the ransomware’s name and toolset were clearly attributable to the attacker, and there were no other similarities to the standard REvil attack vector.
According to the report, the victim of the attack observed by Sophos paid a ransom of 4.29 bitcoin on May 15, that was worth nearly $210,000 at the time.
The attackers used Windows Management Instrumentation (WMI) to install additional malware on devices on the network that they could reach from the Exchange server.
It is unclear whether the attackers took advantage of the infamous Exchange ProxyLogon vulnerability that caused Microsoft significant headaches earlier this year. However, Brandt found that the unpatched server used for the attack was vulnerable to this flaw.
During the attack, the threat actors ran a series of PowerShell scripts numbered 1.ps1 through 12.ps1, as well as some scripts named with a single letter of the alphabet, to prepare the affected workstations for the final ransomware payload. He added that the scripts also delivered and launched the payload Epsilon Red.
The PowerShell scripts use a “rudimentary form of obfuscation” that did not hinder the Sophos researchers’ analysis, but “might be just good enough to evade detection of an anti-malware tool that’s scanning the files on the hard drive for a few minutes, which is all the attackers really need,” Brandt said.
The ransomware is a program called RED.exe, created with MinGW and packaged with a modified version of the UPX runtime packer. According to Brandt, the payload contains code from an open-source project on GitHub called godirwalk that allows it to scan the hard drive it is running on for directory paths and summarize them into a list.
According to Brandt, the executable is a small file and a basic application that is only used to encrypt data on the target machine without making network connections or performing other important tasks, all of which are delegated to PowerShell scripts.