New Ransomware has Unpatched Exchange Servers Seeing (Epsilon) Red

Another exploitation opportunity is taking advantage of still unpatched on-premise Microsoft Exchange servers. Last week, Sophos discovered a new ransomware strain, calling itself Epsilon Red that was observed targeting a U.S.-based company in the hospitality sector. According to Sophos, it isn’t clear whether the attack was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server.

The ransomware executable (RED.exe) is a 64-bit Windows executable that appends a “.epsilonred” suffix to the encrypted files and drops a ransom note in each folder. Likewise, it appears devices infected with Epsilon Red could become completely unusable, as Sophos noted that the ransomware doesn’t contain a list of targeted file types and instead encrypts every file in a folder, which can lead to the entire system becoming inoperable. The ransomware note appears to resemble notes from REvil, but according to Sophos, that’s where the similarities end. Read more about Epsilon Red at SecurityWeek.