Connect with us

Hi, what are you looking for?



Cybercriminals Target Companies With New ‘Epsilon Red’ Ransomware

A new piece of ransomware named Epsilon Red has been used to target at least one organization in the United States, and its operators have apparently already made a significant profit.

A new piece of ransomware named Epsilon Red has been used to target at least one organization in the United States, and its operators have apparently already made a significant profit.

Cybersecurity firm Sophos reported last week that Epsilon Red operators have been spotted targeting a US-based company in the hospitality sector. The cryptocurrency address provided by the cybercriminals shows a bitcoin transaction for an amount worth roughly $210,000, which seems to indicate that at least one victim has agreed to pay the ransom demanded by the cybercriminals.

Sophos researchers noticed that the ransom note dropped by Epsilon Red is similar to the one displayed by the REvil ransomware, but Epsilon Red’s ransom note is better written — it does not contain some of the grammar errors in the REvil note.

Epsilon Red ransomware

Victims are informed that their files have been encrypted and that their data has been stolen and will be leaked unless they pay the ransom. However, Sophos noted that the ransomware doesn’t contain a list of targeted file types and instead encrypts every file in a folder, which can lead to the entire system becoming inoperable.

Epsilon Red, developed in the Go language, has been described as “bare-bones ransomware.” The ransomware executable is small due to the fact that it’s only designed to scan the system for folders it can encrypt and perform the actual encryption. The remaining tasks are carried out by a dozen PowerShell scripts, which prepare the machine for the final encryption payload.

These PowerShell scripts are designed to modify firewall rules to allow the attackers’ remote connections, disable or kill processes that could prevent encryption, delete the Volume Shadow Copy to prevent recovery of encrypted files, delete Windows event logs, grant elevated permissions, uninstall security software, and obtain valuable data.

The attackers have also been spotted using Remote Utilities, a commercial solution that is available for free. Sophos researchers believe the attackers have used this tool to be able to maintain access to compromised systems in case their initial access point gets removed.

Advertisement. Scroll to continue reading.

The initial access point in the attack spotted by Sophos was likely an unpatched Microsoft Exchange server. The attackers may have leveraged the vulnerabilities known as ProxyLogon, which have been exploited by many threat groups in the past months.

Sophos said it had not found any links to other cybercrime groups — except for the REvil ransom note similarities — and noted that the name Epsilon Red stems from an X-Men villain who has Russian origins.

Related: Security Researchers Dive Into DarkSide Ransomware

Related: SonicWall Zero-Day Exploited by Ransomware Group Before It Was Patched

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...