New Golang-based Epsilon Red Ransomware Caught Executing Active Attacks

A new ransomware threat has emerged online that is already active in the wild. Identified as Epsilon Red, this ransomware puts up huge ransom demands and has targeted at least one US organization.

About Epsilon Red Ransomware

Researchers from Sophos have recently shared insights about the Epsilon Red ransomware in their post. As elaborated, the malware has adopted its name from the Marvel Comics’ X-Men antagonist Epsilon Red.

Regarding the malware, the researchers found it to be written in Golang (Go) programming language. The attack strategy includes some unique PowerShell scripts that pave way for the actual payload. These initial strategies include disabling any security programs, disabling backups, Office apps, and email clients, deleting Volume Shadow copies, extracting password hashes, deleting Event Logs, suspending other service processes, and gaining extended permissions on the device.

These activities begin right after the ransomware reaches the target system. In the final stage, the actual payload downloads and executes. But it is quite a small file as all it does is data encryption. Regarding this payload, the researchers stated,

The ransomware itself, called RED.exe, is a 64-bit Windows executable programmed in the Go language, compiled using a tool called MinGW, and packed with a modified version of the runtime packer UPX.

The ransomware has no target list, which means it’ll encrypt all the data in a folder it comes across. This even includes any executable files and DLLs, which may render different processes non-functional. Whereas, it keeps renaming the encrypted files by adding a “.epsilonred” extension. Once done, it places the ransom note in each targeted folder.

While this ransomware has caught attention only recently, it has at least targeted a victim from the US hospitality sector. As for its entry point, researchers explained that it possibly exploits vulnerable Microsoft Exchange servers. While it’s currently unclear about how the malware does that, exploitation of ProxyLogon can’t be ruled out, though.

Technical details about Epsilon Red are available in the researchers’ post.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients