The rise of makeshift ransomware: what is Epsilon Red and should you worry about it?
A new strain of ransomware with worryingly amateurish qualities could wreak havoc on networks worldwide.
Epsilon Red was discovered by Sophos in late May, and has netted its creators big money, according to the security researchers. At least one victim paid a ransom of $210,000 in bitcoin after finding their data locked up because of Epsilon Red, with many others purportedly targeted by the malware.
The ransomware was found as a final executable payload in a hand-controlled attack against a US-based business in the hospitality industry, according to Sophos. It accessed IT systems through enterprise Microsoft Exchange servers. The attackers then use WMI to install other software onto machines inside the network that they could reach from the Exchange server.
“The actual ransomware file itself is very pared down, probably because it has offloaded other tasks, such as deleting backups, to the PowerShell scripts,” says Sophos Rapid Response manager, Peter Mackenzie.
“It is really only used for file encryption, and it doesn’t precision-target assets. If it decides to encrypt a folder, it will encrypt everything inside that folder.”
“Unfortunately, this can mean other executables and dynamic link libraries (DLLs) are also encrypted, which can disable key running programs or the entire system. As a result, the attacked machine will need to be completely rebuilt,” he adds.
The name comes from an enemy of the X-Men in the Marvel Comics Universe: a Russian super soldier with four mechanical tentacles and a bad attitude.
The tentacles in Epsilon Red helped give the malware its name precisely because of the way in which the virus operates.
Plenty of backups in case of failure
“Early on in the attack sequence the operators download and install a copy of Remote Utilities and the Tor Browser, possibly to ensure an alternate foothold if the initial access point gets locked down,” says Sophos. “In other cases we see the operators issue redundant commands that use a slightly different method to accomplish the same goal, such as deleting processes and backups.” The ransomware is of particular concern because unlike many of its peers, it’s not carefully crafted. The code encrypts everything in a given folder using the .epsilonred extension – including any executables or DLLs, which can make the operation of the operating system not practicable.
In places, the ransomware appears to be cobbled together – which is in part why Sophos are so concerned about its existence.
After securing files and encrypting them, the malware, which is written in Go (or Golang) displays a message which is adapted from the REvil ransomware that has caused so much chaos for IT professionals. The language in the ransom note has been fine-tuned to be more grammatically correct compared to the sloppy Russian-language transliteration of REvil.
Tackling Epsilon Red is, like most bits of ransomware out there in the wild, simply a case of making sure you’re fully protected and up to date in terms of security. “The best way to prevent ransomware such as Epsilon Red is to ensure servers are fully patched and that security solutions can detect and block any suspicious behaviour and attempted file encryption,” says Sophos.