Researchers at Sophos Labs have discovered a new strain of ransomware. They say the virus is known for its streamlined functions and heavy use instead of PowerShell scripts to perform its various malicious functions.
In a new report, Sophos describes the recently observed ransomware-called Epsilon Red-delivered as the final executable file in an actual attack against a US hospitality organization. Available data indicate that at least one Epsilon Red victim paid a Bitcoin ransom of approximately $210,000 in mid-May.
According to Sophos, Epsilon Red is known for most of its early components are PowerShell scripts. The ransomware component itself is a basic 64-bit executable file written in the Go programming language. Its only function is to encrypt files on the target system. The ransomware component does not establish a network connection and does not perform functions normally integrated into other ransomware strains. For example, functions such as deleting shadow copies and killing processes have been offloaded to PowerShell scripts.
Andrew Brandt, the lead researcher at Sophos, stated that the attacker’s goal was to make Epsilon Red and its activities more difficult to detect. “If you break down ransomware activities into a series of normal benign tasks, it will be more difficult for defenders to identify them as interrelated and malicious activities,” he said. “When they unload content such as’delete shadow copies’ into fragments, behavior-based endpoint security tools become less suspicious.” For example, a malware detection tool might just visualize the shadow copy activity It is a benign activity because it is not particularly related to other malicious behaviors.
The attacks observed by Sophos against US organizations appear to have started with the vulnerable Microsoft Exchange Server. Sophos said that it is unclear whether the attacker used the recently disclosed ProxyLogon vulnerability in Exchange Server to gain unauthenticated access or took advantage of other flaws.
From the initial entry point, the attackers used Windows Management Instrumentation (WMI) to install additional software in order to download ransomware on all other systems that they could access from the Exchange Server. During the attack, the attackers used more than a dozen PowerShell scripts-including scripts for deleting shadow copies and duplicating Windows Security Account Management (SAM) so that they can retrieve passwords stored on their computers.
Sophos’ analysis of Epsilon Red shows that the ransomware binary file itself does not contain a list of target files and extensions. Instead, it appears to be designed to encrypt everything on the target system, including key dynamic link libraries (DLLs) and extensions needed to keep the system running properly. This is very different from most mature ransomware families, which have ransomware binaries that explicitly contain logic to exclude DLLs and executable files from encryption.
“Ransomware threat actors know that if no one can see their ransom note, they can’t get paid-because the computer can’t start,” he said. “It is generally believed that encrypting executable files and DLLs is bad for business.” Since Epsilon Red does not seem to make this distinction, malware may prevent the infected system from booting. Brandt said that in these cases, even if the attacker provides a decryption tool, the victim will probably not be able to run it on the computer.
The Epsilon Red ransomware activity is a typical representative of many other recent attacks. In these activities, attackers rely heavily on scripts and command interpreters (such as Windows Command Shell and PowerShell) to execute scripts, commands, and binary files. Red Canary’s recent analysis of threat data from customer networks shows that 48.7% of customers have experienced attacks using PowerShell, and 38.4% of attacks involve Windows Command Shell. Red Canary found that attackers often use PowerShell to perform tasks such as malware obfuscation, malicious command execution, and downloading additional payloads.
“Of course we have seen the use of PowerShell with WMIC [WMI command-line] And potentially unwanted applications, such as penetration testing tools,” Brandt said, “or remote access software, which has implemented attacks and adjusted strategies with multiple attackers in the past year.
Jai Vijayan is an experienced technical journalist with more than 20 years of experience in the IT trade news field. He recently served as the senior editor of Computerworld, responsible for the information security and data privacy issues of the publication.In the course of his 20 years… view the complete bio