"New Epsilon Red Ransomware Hunts Unpatched Microsoft Exchange Servers"
A new form of ransomware called "Epsilon Red" has been discovered in the wild, exploiting Microsoft Exchange server vulnerabilities to encrypt machines across a network. This ransomware relies on over a dozen scripts before it reaches the encryption phase and uses a commercial remote desktop utility for attacks. Researchers at Sophos discovered the new ransomware during an investigation of an attack at a U.S. company within the hospitality sector. According to the researchers, the threat actor exploited unpatched vulnerabilities in an on-premise Microsoft Exchange server. A principal researcher at Sophos says that the attackers may have leveraged a set of bugs dubbed ProxyLogon to reach machines on the network. Epsilon Red is written in the Go programming language and is preceded by a set of PowerShell scripts, each of which accomplishes a specific task to prepare the system before launching the ransomware. These tasks include killing processes for security tools, deleting Volume Shadow Copies, deleting Windows Event Logs, expanding permissions on the system, and more. When the network is breached, the hackers reach machines over the Remote Desktop Protocol (RDP) and utilize Windows Management Instrumentation (WMI) to install software and run the scripts that deploy the Epsilon Red executable. This article continues to discuss key findings surrounding the new Epsilon Red ransomware.
Bleeping Computer reports "New Epsilon Red Ransomware Hunts Unpatched Microsoft Exchange Servers"