Sophos security researchers have uncovered a new ransomware version known as Epsilon Red. This ransomware strain appears to rely on weak Microsoft Exchange servers. Threat actors utilize this strain to undertake large-scale server exploitation campaigns and subsequently try to sell company secrets on the dark web. One of the victims has already paid more than $200,000 in Bitcoin as a result of the Epsilon Red Strain and setting a dangerous example of companies caving into cybercriminal demands to avoid a possible data leak, reputational damage, and loss of operations due to weakened IT services following important file encryption.
We have some basic information on REvil, another ransomware outfit that employs affiliates to launch attacks and has a similar ransom letter to Epsilon Red, after applying to cooperate with the ransomware gang early this year.
During the investigation, they looked into all publicly available sources of Epsilon Red intelligence. According to their findings, the majority of significant antivirus companies appear to be able to detect the new ransomware variant correctly. This ransomware strain is attempting to spread by exploiting several recently identified Microsoft Exchange server vulnerabilities, including CVE-2020-1472, CVE-2021-26855. They also discovered about 695 vulnerable ZeroLogon servers in the United States, 71 more in Australia, and 36 in Argentina, and this ransomware campaign targets and exploits these servers directly.
When confronted with a ransom demand, the victim should report the ransomware email to law police at that moment only. The second important step is to have a solid defence-in-depth strategy in place. This includes using zero-knowledge online backups of critical data. Cybercriminals will not be able to blackmail the company if they are incapable of obtaining crucial information. The Ransomware Task Force, which was just established, is a step in the right direction. However, in the future, a more practical approach to ransomware schemes that uses a central information-sharing database should be studied. This would also allow for the use of real data in research, systematic outreach to law enforcement, and the presentation of actionable intelligence on cyber threat actors to top antivirus companies. When dealing with cryptoviral extortion, users and companies should avoid paying the whole ransom and instead rely on zero-knowledge online backup for critical business and personal data. Criminals will pose fewer threats in the future if they receive less compensation.
– Navya Swarup
Member, Reporter’s Committee, WCSF