New ransomware written in Golang called Epsilon Red was recently unearthed by security experts. This ransomware is delivered as the final executable payload in a human-controlled attack. According to Sophos analysts, it was observed in attacks aimed at U.S.-based hospitality businesses.
What has happened?
The attackers launched a series of PowerShell scripts, numbered 1.ps1 to 12.ps1 that prepared the targeted machines for the execution of the final ransomware payload.
It is suspected that the attacker exploited an unpatched Microsoft Exchange Server vulnerability.
The attackers used WMI to install other software onto targeted systems that were accessible from that compromised Exchange server.
According to the cryptocurrency address given by the attackers, it appears that at least one of their victims paid a ransom of 4.29 BTC on May 15 (valued at $210,000).
The name and the tooling were unique to this attacker. The ransom note on infected computers had some resemblance with that of REvil’s, however, the former has a few minor grammatical corrections.x
About Epsilon Red
The ransomware itself is called RED.exe, which is a 64-bit Windows executable programmed in Golang and compiled using MinGW. Additionally, it is packed with a modified version of UPX.
The executable has some code taken from an open-source project called godirwalk, which allows it to scan the hard drive on which it is running for directory paths and compile them into a list.
After the scan, it creates a new child process that encrypts every subfolder independently, resulting in a lot of copies of the ransomware process running altogether.
With a high rate of success in ransomware attacks, it has become a lucrative business. This results in the popping up of new ransomware more often than not. So far, Epsilon Red has been used to target the U.S. hospitality sector, however, it can expand to other countries and sectors as well. Therefore, as a precautionary measure, it is suggested to take a backup of important data to limit the scope of the damage.