7z archive file that contains the rest of the PowerShell scripts, the ransomware executable, and another executable. The script retrieves and unpacks into the system32 folder a. The PowerShell orchestration was, itself, created and triggered by a PowerShell script named RED.ps1 that was executed on the target machines using WMI. Laying the groundwork using PowerShellĭuring the attack, the threat actors launched a series of PowerShell scripts, numbered 1.ps1 through 12.ps1 (as well as some that just were named with a single letter from the alphabet), that prepared the attacked machines for the final ransomware payload and, ultimately delivered and initiated it. The character Epsilon Red was a relatively obscure adversary of some of the X-Men in the Marvel extended universe, a “super soldier” alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude.
The name Epsilon Red, like many coined by ransomware threat actors, is a reference to pop culture.
From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server. It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server. It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network. There were no other obvious similarities between the Epsilon Red ransomware and REvil. While the name and the tooling were unique to this attacker, the ransom note left behind on infected computers resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections.
The malware was delivered as the final executable payload in a hand-controlled attack against a US-based business in the hospitality industry in which every other early-stage component was a PowerShell script.īased on the cryptocurrency address provided by the attackers, it appears that at least one of their victims paid a ransom of 4.29BTC on May 15 th (valued at roughly $210,000 on that date). In the past week, Sophos analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red.