> This ransomware is written in GO language
> same like REvil ransomware this also left similar ransomware note with few grammatical corrections.
> The name Epsilon Red, like many coined by ransomware threat actors, is a reference to pop culture. The character Epsilon Red was a relatively obscure adversary of some of the X-Men in the Marvel extended universe, a “super soldier” alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude.
2. Preparation stage (cook-up)
> series of power shell scripts from (1 to 12) and unique scripts like P.exe sand C.exe are created.
> these series of scripts are triggered by the power shell script called RED.ps1 which is executed on the machine using windows management instrumentation
> followed the script also retrieves and unpack in the system,32 folder with extension .7z ( later stages this file get deleted to avoid left overs)
3. obfuscation :( Evasion technique )
> The Power Shell scripts also use a rudimentary form of obfuscation in which the threat actors appear to have added in some square brackets and braces at random into the script, breaking up the lines of Power-Shell script code, and then use a command that strips out those brackets.
4. Blocking Firewall and clearev (events records)
> the attacker unpacks RED.ps1 (parent script) into %SYSTEM%\RED directory then creates schedule task that run unpacked child scripts ( 1.ps1 to 12.ps1 scripts).
> after every schedule task it waits for one hour and execute a command to modify windows firewall rule such that all the communication prots are blocked leaving exception to 5650 which is communication port for commercial toll called remote utilities
Link : https://www.remoteutilities.com/
( they can use it for free. Anyone can submit an email address through the company’s website and receive a free license key by email that allows them to use the full capability of the product on up to 10 machines, in perpetuity. )
> As part of this tool , it offers ability for licensed user to generate a digitally signed executable installer, per-configured with a password and other preferences embedded into the .exe. Users choose their options, which get transmitted back to the company via the application to generate a unique “One-Click package” executable the program then downloads. The threat actor can then deploy this installer, which runs unattended, and automatically synchronizes to their Remote Utilities Viewer console.
> 1 to 6 and 10,11,C.exe,P.exe runs in the task schedule by which these script perform to disable AV , kill process and many task involving hindering of backup tools and program in the windows. (as shown in the chart)
> 6.ps1 scripts kill not only processes but also service based on the strings that may appear in the service names and this also disable windows defender by setting or changing the registry keys.
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender” /f /v DisableAntiSpyware /t REG_DWORD /d
> explanation and what each script do is given in chart
5. How epsilon ransomware is executed :
> ransomeware itself called RED.exe is 64-bit executable file written in GO language.
> this uses godirwalk which gives ability to scan the hard drive on which it’s running for directory path and export same into lists
> the ransomware then run child process that encrypt each sub folder in the present directory or wrt to the list of directories path
> after short amount of time all files get encrypted with help of child process and drops ransomware notes in each folder .
> Victims are encouraged to visit a special URL on a website operated on the normal web (epsilons[.]red) to engage with the attackers.
Ransomware vulnerability target in scope :
1. unpatched server
2. exchange server vulnerable to proxy Logon exploit chain
Mitigations :
1. Patching internet-facing exchange server as quickly as possible.