A New Ransomware Super Soldier

Posted by Trevagh Stankard on Tue, Jun 15th, 2021

Another month, another ransomware strain.  This one is called Epsilon Red, a name that references a little known enemy character in the X-Men Marvel comic series.  The “super soldier” comic character is of Russian origin and armed with four mechanical tentacles.  As for the Epsilon ransomware strain, it uses PowerShell scripts rather than tentacles and selectively hunts down unpatched Exchange servers.  While the descriptor names and code snippets change, the methodologies remain the same.  Whether or not the malware is taking advantage of the ProxyLogon exploit made famous earlier this year is unclear.  What is clear, is that it was identified last week after it claimed its first victim a week earlier to a tune of $210,000.

The plan of attack for Epsilon Red is for the attackers to obtain an entry point within an unpatched Microsoft Exchange server.  From there, the perpetrators use scripting tools to install other software on machines that are reachable from the Exchange server.  These include a series of PowerShell scripts with rudimentary names such as 1.pas1 through 12.ps1.  While there is nothing highly advanced about the scripts themselves, analysts say they may be able to escape the attention of basic antimalware tools long enough to complete their assigned tasks.  Some of the assigned tasks include the following:

• Modify local firewall rules to allow the attackers to make remote connections
• Disable or kill the process that may lock files and prevent them from being encrypted
• Delete any volume shadow copies in order to prevent local file recovery
• Uninstall security software such as Trend Micro, MalwareBytes, Webroot, and others.
• Disable Windows Defender
• Delete Windows Even logs
• Expand permission on the system so that the “Everyone” group has access to all drives
• Copy the Windows Security Account Manager (SAM) to retrieve passwords stored on the local computer

Thus far, the attackers also download and install a commercially available Remote Utilities app and the Tor Browser as a backup alternative to obtain control of the network. 

The final step performed by the scripts is to deliver the actual payload itself.  The payload consists of a file called Red.exe.  Once deposited, the payload goes to work, scanning the local hard drives in order to compile a list of all files and directory paths.  It is at that point that the encryption process begins.  Once a file is encrypted it is appended with the .epsilonred extension.  The final step is to drop a ransom note to alert the victim and provide further instructions.  While the ransomware note has commonalities with the notes issued by the REvil ransomware gang, it is believed that the group behind the EpsilonRed variant are made up of armatures.  Some experts are skeptical about file recovery as the encryption process they use doesn’t exclude critical system files and dynamic link libraries, which may prevent the computer from rebooting correctly. 

Read Guide on How to Reduce the Risk of Phishing and Ransomware

Another Growing Ransomware Trend

We have spoken about  Ransomware 2.0 numerous times on the TitanHQ blog, and how hackers are exfiltrating files prior to encrypting them in order to double their extortion leverage.  This way, if the victimized organization is able to recover their files on their own, they can threaten to release the files publicly or sell them on the open market.  Just recently a new attack methodology has been uncovered involving double encryption.  In this case, attackers use multiple types of ransomware in tandem to encrypt the files of a targeted network.  There are two ways to utilize these multiple strains in an attack.  One approach is to encrypt the files using one type of ransomware and then re-encrypt again with another variant.  The other is to use what is referred to as side-by-side encryption in which files are only encrypted once, but different systems are encrypted with different variants. 

There are a number of reasons for this new tactic.  At the least, using multiple ransomware strains complicates and elongates the restoration process.  As a result, the chance of a victim recovering from an attack on their own is significantly reduced.  It also provides attackers the opportunity to determine the effectiveness of different strains at once.  The real draw however is the opportunity to increase the payout.  The attackers might issue two ransom notes at the beginning to ensure the victim is aware of the extra complexity of their situation.  Other times, victims only see one ransom note and only find out about the second layer of encryption after they've paid to eliminate the first. 

Cybersecurity is a moving target.  Ransomware creators continue to release new strains to take advantage of newly discovered exploits as well as new stealth innovations to avoid detection.  At the same time, attackers are experimenting with new tactics and strategies in order to improve their effectiveness.  This is why it is so important to ally yourself with outstanding cybersecurity partners. 

Protect your organization from the ever-growing threat of ransomware. TitanHQ protects your business using multi-layered security to block advanced threats. Contact the TitanHQ team and speak to a security expert today. Contact us today us.