A new form of ransomware dubbed “Epsilon Red” has been found in the wild targeting unpatched Microsoft Corp. Exchange servers.

First detected by security researchers at Sophos plc and revealed Friday, the ransomware was found targeting a U.S.-based business in the hospitality industry. Delivered as the final executable payload in a hand-controlled attack, the ransomware demanded a payment of 4.29 bitcoin, valued at the time at about $210,000.

According to the security researchers, the name and tooling in the ransomware attack were unique to the attackers. Although the ransom note resembled the standard message left behind by the well-known REvil ransomware gang, there were grammatical changes.

The gateway was an enterprise Microsoft Exchange server. “It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server,” the researchers explained. “From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server.”

As coined by those behind the new ransomware, the name Epsilon Red is a pop-culture reference to a character in the X-Men comic books.

Epsilon Red is written in Golang (Go), an open-source programming language described as easy to build simple, reliable and efficient software. Preceded by PowerScripts that prepare the target, the ransomware has multiple stages.

Starting with killing processes and services for security tools, databases, backup programs, Microsoft Office apps and email clients, the ransomware deletes all Volume Shadow Copies. The ransomware then steals the Security Account Manager file containing password hashes, deletes Windows Event Logs, disables Windows Defender. Finally it suspends processes, uninstalls security tools and expands permissions on the system.

Having gotten rid of any impediments, Epsilon Red then uses Windows Management Instrumentation to install software and run PowerShell scripts that then deploy the main ransomware executable.

The rest of the process comes as no surprise. The executable encrypts files and steals data, victims are informed of the attack and a ransom payment is demanded.

“As the ingress point for this attack appears to have been an Exchange server vulnerable to the ProxyLogon exploit chain, customers are urged to patch internet-facing Exchange servers as quickly as possible,” the researchers concluded.

Image: Sophos