skip to Main Content

At The Identity Organisation, we're here to help!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038

    New Ransomware Strain Epsilon Red is Reported

    New Ransomware Strain Epsilon Red

    Researchers at Sophos report finding a new ransomware strain in the wild. They call it “Epsilon Red.” The malware is written in GO, and it was delivered as the final executable payload in a hand-controlled attack against a target in the US hospitality sector.

    “It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network,” Sophos said. “It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server. From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server.”

    Why Epsilon Red? Sophos shares the etymology, which may be news for any not fully au courant with the Marvel universe. In this case the name comes from the threat actors themselves.

    “The name Epsilon Red, like many coined by ransomware threat actors, is a reference to pop culture. The character Epsilon Red was a relatively obscure adversary of some of the X-Men in the Marvel extended universe, a ‘super soldier’ alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude.”

    While the campaign uses complex layers of deception, the ransomware proper is, Sophos says, “barebones.” It’s a 64-bit Windows executable, and all it does is encrypt the files in the target system. Other functions, like communication, deleting shadow copies, killing processes, and so forth, have been, according to the researchers, “outsourced” to the PowerShell scripts. The whole Red Epsilon package performs these actions against its targets:

    • It kills processes and services for security tools, databases, backup programs, Office apps, and email clients.
    • It deletes Volume Shadow Copies.
    • It steals password hashes contained in the Security Account Manager file.
    • It deletes Windows Event Logs.
    • It disables Windows Defender.
    • It suspends selected processes.
    • It uninstalls security tools (included tools by Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, and Webroot).
    • Finally, it expands permissions on the system.

    Vulnerable Microsoft Exchange Server instances have been Epsilon Red’s point of entry into victim networks. Patching and other cyber hygiene essentials are matters for human operators, and the more aware, the more alert they are to the consequences of lapses, the better for their organization’s security. New-school security awareness training is never a bad idea.

    Sophos has the story.

    Free Ransomware Simulator Tool

    Bad guys are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

    KnowBe4’s “RanSim” gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 20 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.


    Here’s how it works:

    • 100% harmless simulation of real ransomware and cryptomining infections
    • Does not use any of your own files
    • Tests 21 types of infection scenarios
    • Just download the install and run it 
    • Results in a few minutes!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser:

    Sign Up to the TIO Intel Alerts!

    Back To Top