Cybercrime , Cybercrime as-a-service , Email Security & Protection

New Ransomware Variant Targets US Hospitality Sector

Sophos Says Epsilon Red Extorted $210,000 From One Victim
New Ransomware Variant Targets US Hospitality Sector

A newly uncovered ransomware variant dubbed 'Epsilon Red' is targeting organizations in the U.S. hospitality sector, with the threat actor successfully extorting $210,000 from one of its victims, a new report by security firm Sophos notes.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

In a blog released on Friday, Andrew Brandt, principal researcher at Sophos, says the malware is compiled in the Go programming language and uses Microsoft Exchange server, which was the initial point of entry into the victims' networks, mainly in U.S.-based businesses in the hospitality industry.

"It isn't clear whether this was enabled by the ProxyLogon exploit or another vulnerability," Brandt says, "but it seems likely that the root cause was an unpatched server. From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server."

The malware, which is delivered as the final payload, encrypts files in the victims' systems and then demands a ransom. In one of the cases detected by Sophos, based on the cryptocurrency address provided by the attackers, it appears that in May at least one of their victims paid a ransom of 4.29 bitcoins ($210,000) to the operators behind the strain.

Although Epsilon Red's ransom note shared similarities to that of REvil group, Sophos says there are no other similar features which could link the malware to REvil.

Attack Tactics

Once a victim device is successfully compromised, the threat actors launch the malware as a series of PowerShell scripts before executing the ransomware payload called RED.exe. On analyzing the malware infrastructure, the researchers determined the strain uses an open-source project called Godirwalk to scan the hard drive.

Because the majority of the tasks, such as killing running processes and deleting files, are performed by the PowerShell, the ransomware strain itself is small and comes with only encryption capabilities, the report notes.

"In the sample we’ve seen, it doesn’t even contain a list of targeted file types or file extensions," Brandt says. "In fact, it will encrypt everything inside the folders it decides to encrypt, including other executables and DLLs, which can render programs or the entire system non-functional if the ransomware decides to encrypt the wrong folder path. After it encrypts each file, it appends a file suffix of ".epsilonred" to the files, and drops a ransom note in each folder."

Surge in Attacks.

Ransomware attacks targeting high-profile healthcare and other industries have gone up significantly this month.

On Monday, the FBI warned healthcare and first responder networks about Conti ransomware attacks, advising them to take measures to help prevent becoming a victim (see: FBI Warns Healthcare Sector of Conti Ransomware Attacks).

The advice from the agency comes after Conti targeted Ireland's Health Service Executive, the nation's state-run health services provider, as well as San Diego-based Scripps Health at the beginning of this month.

Prior to that, DarkSide ransomware targeted Colonial Pipeline Co. on May 8. The incident led to the tempoary shutdown of a 5,500 mile pipeline, and the company paid a $4.4 million ransom for a decryptor, which proved to be faulty (see: 2 Bills Introduced in Wake of Colonial Pipeline Attack).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.