New ransomware Epsilon Red has been found by Sophos researchers who detail the tools, techniques, procedures, and behaviour of the attackers behind it.
Sophos’ researchers have discovered the Epsilon Red ransomware is delivered as the final executable payload in a manually orchestrated attack. And according to their analysis, every other component of the attack relies on PowerShell scripts.
The PowerShell scripts include:
- A script that executes a command to delete Volume Shadow Copies from the infected computer, making it harder for the target to recover some or all the files encrypted by the attackers.
- A script used to uninstall various security and backup programs that may be present on the infected computer. It looks for specific programs, but also anything with the words “Backup” or “Cloud” in the title bar, and then attempts to kill and uninstall it. The attackers also try to disable or kill processes that, if they were running, might prevent encryption of valuable data on the hard drive. Examples of this include database services, backup programs, office applications, email clients, QuickBooks, and even the Steam gaming platform.
- A script that appears to be a clone of an open-source tool called Copy-VSS, which an attacker can potentially use to retrieve and crack passwords saved on the computer.
- A script the Sophos researchers say appears to be a compiled version of the open-source tool EventCleaner, created to erase or manipulate the contents of Windows event logs. The attackers used it to remove evidence of what they had done.
Sophos says the ransom note left behind on the infected computers resembles that left by REvil ransomware, although the Epsilon Red operators appear to have made a few grammatical language corrections.
The attackers encourage victims to engage with them via a website. Based on the cryptocurrency address provided by the attackers, it would seem at least one of Epsilon Reds victims paid a ransom of 4.29BTC (around US$210,000).
“Epsilon Red is an intriguing new ransomware,” says Sophos Rapid Response manager, Peter Mackenzie.
“The actual ransomware file itself is very pared down, probably because it has offloaded other tasks, such as deleting backs ups, to the PowerShell scripts. It is really only used for file encryption, and it doesn’t precision-target assets. If it decides to encrypt a folder, it will encrypt everything inside that folder.
“Unfortunately, this can mean other executables and dynamic link libraries (DLLs) are also encrypted, which can disable key running programs or the entire system. As a result, the attacked machine will need to be completely rebuilt,” he says.
The Sophos analysis of the attacker’s behaviour could suggest they lack confidence in the reliability of their tools or the potential success of their attack, so they include alternative options and backup plans in case things fail.
“Early on in the attack sequence the operators download and install a copy of Remote Utilities and the Tor Browser, possibly to ensure an alternate foothold if the initial access point gets locked down,” says Sophos.
“In other cases we see the operators issue redundant commands that use a slightly different method to accomplish the same goal, such as deleting processes and backups. The best way to prevent ransomware such as Epsilon Red is to ensure servers are fully patched and that security solutions can detect and block any suspicious behaviour and attempted file encryption.”