Cybersecurity solutions firm Sophos has unmasked new stripped-down ransomware called Epsilon Red that offloads most of its functionality to a series of PowerShell scripts. The ransomware was found in an unpatched server of Microsoft Exchange server which served as a main entry point to the network.

Sophos said Epsilon Red is a reference to pop culture, “a relatively obscure adversary of the X-Men in the Marvel extended universe, Epsilon Red was a ‘super-soldier’ of Russian origin, sporting four mechanical tentacles and a lousy attitude.”

According to Sophos researchers, Epsilon Red was delivered as the final executable payload in a hand-controlled attack against a US-based business in the hospitality industry in which every other early-stage component was a PowerShell script.

Keep ransomware at bay with Sophos Managed Threat Response

Sophos to secure 5G Qualcomm PCs with Intercept X

“Based on the cryptocurrency address provided by the attackers, it appears that at least one of their victims paid a ransom of 4.29BTC on May 15th (valued at roughly $210,000 on that date),” the researchers said. “While the name and the tooling were unique to this attacker, the ransom note left behind on infected computers resembles the message by REvil ransomware but adds a few minor grammatical corrections. There were no other apparent similarities between the Epsilon Red ransomware and REvil.”

Learn more about REvil here.

“Epsilon Red is the intriguing new ransomware,” said Peter Mackenzie, manager of the Sophos Rapid Response. “The actual ransomware file itself is very pared down, probably because it has offloaded other tasks, such as deleting backups, to the PowerShell scripts. It is only used for file encryption, and it doesn’t precision-target assets: if it decides to encrypt a folder, it will encrypt everything inside that folder. Unfortunately, this can mean other executables and dynamic link libraries (DLLs) are encrypted, which can disable critical running programs or the entire system. As a result, the attacked machine will need to be rebuilt entirely.”

Windows Management Instrumentation

By using a WMI (Windows Management Instrumentation), attackers were able to install software onto devices inside the network that they could reach from the Exchange server from that machine, according to Sophos.

Attackers executed a script to delete Volume Shadow Copies from the infected computer to make it harder for the target to recover some or all of the files encrypted by the attackers. The script has the ability to uninstall various security and backup programs that might be present on the infected computer. It would look for obvious keywords such as “Backup” or “Cloud” in the title bar and then attempts to kill and uninstall it.

The attackers also try to disable or kill processes that, if they were running, might prevent complete encryption of valuable data on the hard drive. Examples of this include database services, backup programs, office applications, email clients, QuickBooks, and even the Steam gaming platform.

The researchers further explained that a script that appears to be a clone of an open-source tool called Copy-VSS, which an attacker could use to retrieve and crack passwords saved on the computer. A script appears to be a compiled version of the open-source tool, EventCleaner, created to erase or manipulate the contents of Windows event logs. The attackers used it to remove evidence of what they had done.

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks. The CryptoGuard feature blocks the act of attempting to encrypt files.