Epsilon Red – our research reveals more than 3.5 thousand servers are still vulnerable

Epsilon Red – our research reveals more than 3.5 thousand servers are still vulnerable

Several weeks later, security researchers from Sophos have discovered a new ransomware variant known as Epsilon Red. Now, we know exactly how it was carried out – and what you should do to be safe from it.

Seemingly, a variant of the ransomware, Epsilon Red, relies on vulnerable Microsoft Exchange servers. Threat actors use them to launch mass server exploitation campaigns and try to expose companies’ information for revenue.

It works: one of the victims has already paid over $200,000 in Bitcoin, setting a dangerous precedent of companies giving into the demands of cyber criminals to prevent a possible data leak and damage to their reputation and loss of operations due to crippled IT services after important file encryption.

We have some basic information about REvil, another ransomware group that employs affiliates to launch attacks and has a similar ransom note to Epsilon Red, after having applied to work with the ransomware group earlier this year. We’ve also covered the Epsilon Red variant on CyberNews. Now, we have some additional information, including the vulnerabilities it uses and the servers it affects.

Research findings

During our research, we checked all publicly obtainable sources offering actionable intelligence on Epsilon Red. Our findings suggest that the new ransomware variant appears to be properly detected by the majority of leading antivirus vendors.

This specific ransomware variant is attempting to propagate using a variety of recently discovered Microsoft Exchange server vulnerabilities, such as CVE-2020-1472, CVE-2021-26855, CVE-2021-27065 to drop ransomware on the affected hosts.

We found 695 vulnerable ZeroLogon servers in the US, additional 71 vulnerable servers in Australia, and 36 more in Argentina. These servers are directly susceptible and exploitable by the Epsilon Red ransomware campaign.

Chart showing numbers on vulnerable zerologon servers in different countries

Where are the IoCs (Indicators of Compromise)?

We found some of the host based IoC’s (Indicators of Compromise) during an investigation. From our research, we can conclude that this appears to be yet another copycat ransomware release. The operators behind the Epsilon Red variant are attempting to gain traction and get as many infections as possible..

A ransom note appears to be similar to the original ransom note presented by the REvil ransomware, barring a few grammatical fixes.

Ransom note

[+] What’s Happened? [+]

Your files have been encrypted and currently unavailable. You can check it. All files in your system have “EpsilonRed” extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data.

[+] What are our guarantees? [+]

It’s just a business and we care only about getting benefits. If we don’t meet our obligations, nobody will deal with us. It doesn’t hold our interest. So you can check the ability to restore your files. For this purpose you should come to talk to us we can decrypt one of your files for free. That is our guarantee. It doesn’t metter for us whether you cooperate with us or not. But if you don’t, you’ll lose your time and data cause only we have the private key to decrypt your files. time is much more valuable than money.

[+] Data Leak [+]

We uploaded your data and if you dont contact with us then we will publish your data.

Example of data:

– Accounting data
– Executive data
– Sales data
– Customer support data
– Marketing data
– And more other …

[+] How to Contact? [+]

You have two options :

1. Chat with me :

-Visit our website: hxxp://[redacted]/support/NegotiationArea/[redacted]/
-When you visit our website, put the following KEY into the input form.
-Then start talk to me.

2. Email me at : [redacted]@protonmail.com


!!! DANGER !!!

DON’T try to change files by yourself, DON’T use any third party software or antivirus solutions to restore your

data – it may entail the private key damage and as a result all your data loss!

!!! !!! !!!

ONE MORE TIME: It’s in your best interests to get your files back. From our side we ready to make everything for

restoring but please do not interfere.

!!! !!! !!

How to stay safe from Epsilon Red?

If faced with a ransom demand, the affected party should immediately report the ransomware email to the law enforcement.

The next key factor is to have a proper defense in-depth protection strategy. This includes the use of zero-knowledge online backup of crucial information. If cybercriminals cannot access sensitive information, they will have nothing to blackmail the company with. Keep in mind that prevention is a much more practical solution than cure.

The recently implemented Ransomware Task Force is a step in the right direction. However, a more pragmatic way to ransomware scams that would employ a central information sharing database should also be considered in the future.

This would allow for using actual information for research purposes, reaching out to law enforcement in a systematic way, and presenting actionable intelligence on cyber threat actors to leading antivirus vendors.

What users and organizations should keep in mind when dealing with cryptoviral extortion – today’s modern ransomware threat – is not to pay the actual amount and rely on zero-knowledge online backup for crucial business and personal information. The fewer payments the criminals will get, the fewer threats they will pose in the future.