REvil threat actors may be behind a set of PowerShell scripts developed for encryption and weaponized to exploit vulnerabilities in corporate networks, the ransom note suggests.
Author: Elizabeth Montalbano
Threat actors have deployed new ransomware on the back of a set of PowerShell scripts developed for making encryption, exploiting flaws in unpatched Exchange Servers to attack the corporate network, according to recent research.
Researchers from security firm Sophos detected the new ransomware, called Epsilon Red, in an investigation of an attack on a U.S.-based company in the hospitality sector, Sophos Principal Researcher Andrew Brandt wrote in a report published online.
The name – coined by the attackers themselves, who may be the same crew behind the REvil ransomware – is a reference to an obscure enemy character in the X-Men Marvel comics. The character is a “‘super soldier’ alleged to be of Russian origin” armed with four mechanical tentacles – which seems to represent the way the ransomware spreads its hooks into a corporate network, Brandt wrote.
While the malware itself is a “bare-bones” 64-bit Windows executable programmed in the Go programming language, its delivery system is a bit more sophisticated, relying on a series of PowerShell scripts that “prepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it,” he wrote.
The potential link to the REvil group came in the ransom note left on infected computers, which “resembles the note left behind by REvil ransomware, but adds a few minor grammatical corrections” that make it more readable to native English speakers, Brandt wrote. However, the name of the ransomware and the tooling appeared to be unique to the particular attacker, and there were no further similarities to the typical REvil attack vector.
The victim in the attack observed by Sophos ended up paying a ransom of 4.29 Bitcoin on May 15, the equivalent of about $210,000 at that time, according to the report.
The initial point of entry for the attack was an unpatched enterprise Microsoft Exchange server, from which attackers used Windows Management Instrumentation (WMI) – a scripting tool for automating actions in the Windows ecosystem, primarily used on servers – to install other software onto machines inside the network that they could reach from the Exchange server.
It’s not entirely clear if attackers leveraged the infamous Exchange ProxyLogon exploit that was a major pain point for Microsoft earlier in the year. However, the unpatched server used in the attack was indeed vulnerable to this exploit, Brandt observed.
During the attack, threat actors launched a series of PowerShell scripts, numbered 1.ps1 through 12.ps1, as well as some that were named with a single letter from the alphabet, to prepare the attacked machines for the final ransomware payload. The scripts also delivered and initiated the Epsilon Red payload, he wrote.
The PowerShell scripts use a “rudimentary form of obfuscation” that didn’t hinder Sophos researchers’ analysis but “might be just good enough to evade the detection of an anti-malware tool that’s scanning the files on the hard drive for a few minutes, which is all the attackers really need,” Brandt noted.
The ransomware itself is a file called RED.exe that’s compiled using a tool called MinGW and packed with a modified version of the runtime packer UPX. The payload includes some code from an open-source project on GitHub called “godirwalk,” enabling it to scan the hard drive on which it’s running for directory paths and to compile them into a list, Brandt explained.
“The ransomware then spawns a new child process that encrypts each subfolder separately, which after a short amount of time results in a lot of copies of the ransomware process running simultaneously,” he wrote.
The executable itself is a small file and “a simple program,” used only to perform the encryption of the files on the targeted system without making network connections or having any critical functions, all of which are outsourced to the PowerShell scripts, Brandt observed.
Because the point of entry was an unpatched Microsoft Exchange Server vulnerable to ProxyLogon, Sophos recommends that administrators update all servers to the patched version as soon as possible to mitigate an attack.