Intriguing in its pared-down code and reliance on PowerShell scripts, this Epsilon Red malware encrypts even executables and dynamic link libraries.

A new ransomware has been uncovered, and it is called Epsilon Red

According to the Sophos researchers who discovered it, this is a stripped-down ransomware written in the Go programming language.

The malware offloads most of its functionality to a series of PowerShell scripts. The name Epsilon Red is a reference to the character in X-Men in the Marvel extended universe. He is a ‘super soldier’ alleged to be of Russian origin who sports four mechanical tentacles and a bad attitude to match. 

The researchers uncovered discovered Epsilon Red as the final executable payload in a manually orchestrated attack. They have concluded that every other component of the attack relied on PowerShell scripts.

Four tentacles, four scripts 

The Epsilon Red PowerShell scripts include:

  • A script that executes a command to delete Volume Shadow Copies from the infected computer, to make it harder for the target to recover some or all of the files encrypted by the attackers
  • A script to uninstall various security and backup programs that may be present on the infected computer. It looks for specific programs but also anything with the words ‘Backup’ or ‘Cloud’ in the title bar, and then attempts to kill and uninstall it. The attackers also try to disable or kill processes that, if they were running, may prevent a complete encryption of valuable data on the hard drive. Examples of this include database services, backup programs, office applications, email clients, QuickBooks, and even the Steam gaming platform
  • A script that appears to be a clone of an open source tool called Copy-VSS, which an attacker could use to retrieve and crack passwords saved on the computer
  • A script that, according to Sophos researchers, appears to be a compiled version of the open-source tool, EventCleaner, created to erase or manipulate the contents of Windows event logs. The attackers used it to remove evidence of what they had done

The ransom note left behind on infected computers resembles one that is left behind by REvil ransomware, although the Epsilon Red operators appear to corrected a few grammatical issues. Victims are encouraged to engage with them the attackers via a special website. 

Based on the cryptocurrency address provided by the attackers, it appears that at least one of Epsilon Red’s victims had paid a ransom of 4.29BTC (around US$210,000.) 

Said Peter Mackenzie, manager of the Sophos Rapid Response team: “Epsilon Red doesn’t precision-target assets: if it decides to encrypt a folder, it will encrypt everything inside that folder. Unfortunately, this can mean other executables and dynamic link libraries (DLLs) are also encrypted, which can disable key running programs or the entire system. As a result the attacked machine will need to be completely rebuilt.”

The attackers’ behavior suggests they may lack confidence in the reliability of their tools or in the potential success of their attack, so they implement alternative options and backup plans in case things fail, Mackenzie said.

For instance, early on in the attack sequence the operators download and install a copy of Remote Utilities and the Tor Browser, possibly to ensure an alternate foothold if the initial access point gets locked down. 

“In other cases we see the operators issue redundant commands that use a slightly different method to accomplish the same goal, such as deleting processes and backups. The best way to such ransomware from taking hold is to ensure servers are fully patched and that your security solution can detect and block any suspicious behavior and attempted file encryption,” Mackenzie advised.