Security News > 2021 > May > New Epsilon Red ransomware hunts unpatched Microsoft Exchange servers

A new ransomware threat calling itself Red Epsilon has been seen leveraging Microsoft Exchange server vulnerabilities to encrypt machines across the network.
Epsilon Red ransomware attacks rely on more than a dozen scripts before reaching the encryption stage and also use a commercial remote desktop utility.
Incident responders at cybersecurity company Sophos discovered the new Epsilon Red ransomware over the past week while investigating an attack at a fairly large U.S. company in the hospitality sector.
One of these, c.ps1, seems to be a clone of the penetration testing tool Copy-VSS. After breaching the network, the hackers reach machines over RDP and use Windows Management Instrumentation to install software and run PowerShell scripts that ultimately deploy Epsilon Red executable.
In typical ransomware fashion, Epsilon Red drops in each processed folder the ransom note with instructions on how to contact the attackers for negotiating a data decryption price.
Despite being new in the ransomware business, the Epsilon Red ransomware gang has attacked several companies and the incidents are being investigated by multiple cybersecurity firms.
News URL
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- US seizes domain of Garantex crypto exchange used by ransomware gangs (source)
- International cops seize ransomware crooks' favorite Russian crypto exchange (source)
- Like whitebox servers, rent-a-crew crime 'affiliates' have commoditized ransomware (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- Microsoft Exchange Online outage affects Outlook web users (source)
- Microsoft: Exchange Online bug mistakenly quarantines user emails (source)