Powershell ransomware found having infiltrated unpatched Microsoft Exchange email servers in the latest ransomware attack. The security experts spotted an unusual type of Windows vulnerability which was spotted to be exploiting several systems of the company.
Cybersecurity analysts from Sophos said that the ransomware relies on the Powershell scripts written in the Go programming language---the Epsilon Red.
Sophos Discovered Malware Hitting the Hospitality Business Industry
According to the official statement of Sophos, the group has assumed that one of the victims involved in the malware attack has paid 4.29BTC for the ransom or nearly $210,000. The Epsilon Red attack has been taking advantage of the cryptocurrency users besides the Microsoft exchange servers.
"It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network. It isn't clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server," Andrew Brandt, the principal researcher of Sophos wrote in the post.
How Powershell Ransomware Hits the System
According to an article written by Techradar on Tuesday, Jun.1, when the Epsilon Red successfully accessed the machine's system, it would target the WMI or the Windows Management Instrumentation so that it could commence the planting of the malicious software.
From there, once the software is now installed inside, it would now have a special entrance to the Microsoft exchange server. The hackers behind the Powershell ransomware also make use of Powershell scripts, as Sophos mentioned in its post last week.
The reason why the group depends on the scripts is to prepare for the upcoming launch of the "final ransomware" to the targeted machines. Specifically, this would envelop the removal of the Volume Shadow copies so that the victims wouldn't anymore regain the encrypted machines.
This would be the best opportunity for the Epsilon Red to "ultimately" send the ransomware that would crash the system.
According to cybersecurity analysts, the Powershell ransomware has a limitation. Since it is small in size, it could only encrypt the files since the Powershell scripts take care of the rest of the exploitations.
Moreover, the experts said that there is a series of codes that allows ransomware to be executable from godirwalk, an open-source project. This would initiate the drive scanning for the compilation of the list in the Microsoft email server.
However, there is a strange discovery that the IT people have detected in this ransomware. On the ransom note of Epsilon Red, the written message is similar to the Revil ransomware which was previously used by the cyber attackers.
The threat actors, this time, have constructed the current ransomware in a more correct grammatical pattern. Clearly, the malware exploits those users who speak Native English.
This article is owned by Tech Times
Written by Joseph Henry