This new ransomware is targeting unpatched Microsoft Exchange servers

Campaign has already made over $200,000

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have witnessed a never-seen-before strain of Windowsransomwarethat was able to compromise an unpatchedMicrosoftExchangeemailserver and make its way into the networks of a US-based hospitality business.

In adetailed post, analysts from Sophos revealed that the ransomware written in the Go programming language calls itself Epsilon Red.

Based on thecryptocurrencyaddress provided by the attackers, Sophos believes that at least one of the victims of the Epsilon Red paid a ransom of 4.29BTC on May 15th, or about $210,000.

We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.

Click here to start the survey in a new window«

“It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network. It isn’t clear whether this was enabled by theProxyLogonexploit or another vulnerability, but it seems likely that the root cause was an unpatched server,” writes Sophos principal researcher Andrew Brandt.

Powershell ransomware

Once Epsilon Red has made its way into a machine, it engages Windows Management Instrumentation (WMI) to install other software on any machine inside the network it can access from the Exchange server.

Sophos shares that during the attack, the threat actors launch a series of PowerShell scripts, to prep the attacked machines for the final ransomware. This includes, for example, deleting the Volume Shadow copies, to ensure that encrypted machines can’t be restored, before ultimately delivering and initiating the actual ransomware itself.

The ransomware itself is quite small and only really encrypts the files, since all other aspects of the attack are conducted by the PowerShell scripts.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The researchers note that the ransomware’s executable contains some code they’ve lifted from an open source project called godirwalk, in order to scan the drive and compile it into a list.

Perhaps the strangest aspect of the entire campaign is that Epsilon Red’s ransom note “closely resembles” the one dropped by the threat actors behind theREvil ransomware, albeit a bit more grammatically refined to make sense to native English speakers.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set