Security Affairs
FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Epsilon Red Ransomware appears in the threat landscape

Researchers spotted a new piece of ransomware named Epsilon Red that was employed at least in an attack against a US company. Researchers from Sophos spotted a new piece of ransomware, named Epsilon Red, that infected at least one organization in the hospitality sector in the United States. The name Epsilon Red comes from an […]

Epsilon Red ransomware

Researchers spotted a new piece of ransomware named Epsilon Red that was employed at least in an attack against a US company.

Researchers from Sophos spotted a new piece of ransomware, named Epsilon Red, that infected at least one organization in the hospitality sector in the United States. The name Epsilon Red comes from an adversary of some of the X-Men in the Marvel extended universe, it is a “super soldier” alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude. 

The security firm discovered that the address of the wallet provided by Epsilon Red operators to the US company was containing roughly $210,000 worth of Bitcoin, a circumstance that suggests that at least one victim paid the ransom.

The Epsilon Red ransomware was written in the Go programming language, it is human-operated ransomware, it is a multi-stage threat that involves PowerShell scripts.  

“During the attack, the threat actors launched a series of PowerShell scripts, numbered 1.ps1 through 12.ps1 (as well as some that just were named with a single letter from the alphabet), that prepared the attacked machines for the final ransomware payload and, ultimately delivered and initiated it.” reads the analysis published by Sophos.

Sophos researchers believe that an enterprise unpatched Microsoft Exchange server was the initial entry point, but it is still unclear if the attackers exploited the ProxyLogon exploit or another flaw. Then the attackers used WMI to install other software onto machines hosted in the targeted network. 

“The PowerShell orchestration was, itself, created and triggered by a PowerShell script named RED.ps1 that was executed on the target machines using WMI.” continues the analysis. “The script retrieves and unpacks into the system32 folder a .7z archive file that contains the rest of the PowerShell scripts, the ransomware executable, and another executable.”

Experts noticed that the ransom note dropped by Epsilon Red is similar to the used REvil ransomware operators, but with fewer grammatical errors

Epsilon Red ransomware

Experts noticed that the ransomware doesn’t contain a list of targeted file types, it encrypts every file in a folder and can potentially render the application and even the entire operating system becoming inoperable.

The ransomware itself is quite small as it only really is used to perform the encryption of the files on the targeted system. It makes no network connections, and because functions like killing processes or deleting the Volume Shadow Copies have been outsourced to the PowerShell scripts, it’s really quite a simple program.  

Once encrypted a file, the ransomware appends the “.epsilonred” extension to the filenames, and drops a ransom note in each folder.  

The ransomware leverages PowerShell scripts to modify firewall rules to allow the attackers’ remote connections, disable or kill processes that could lock file preventing encryption, delete the Volume Shadow Copy to prevent recovery of the files, uninstall security software, and delete Windows event logs, grant the “Everyone” group access permissions to every drive letter.

“Upon closer inspection, one of the first things the attackers did after gaining access to the target’s network was to download and install a copy of Remote Utilities and the Tor Browser, so this seems like a way to reassure themselves they will have an alternate foothold if the initial access point gets locked down.” continues the analysis.

The attackers used the Remote Utilities commercial solution to maintain access to compromised systems in case their initial entry point gets closed.

Researchers have not found any link between the Epsilon Red operators and other threat actors.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Epsilon Red ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]