Tag Archives: Ransomware

The Newest Ransomware: Epsilon Red

Sophos announced that analysts uncovered a new ransomware – called Epsilon Red – that developed in Go programming language. The code is placed in PowerShell script.

This malicious file is written in Go programming language and a 64-bit executable file. It is said that spreading in systems by exploiting security vulnerabilities in Microsoft Exchange servers. It is using vulnerabilities like CVE-2020-1472, CVE-2021-26855 and CVE-2021-27065 that recently discovered Microsoft Exchange servers vulnerabilities. Epsilon Red ransomware scans files and encrypts for ransom when it reach to the target systems. It seems like still there are more than three thousand exchange servers that including these vulnerabilities and this shows us Epsilon Red attacks would be more painful.

According to Sophos, Epsilon Red has been seen in hospitality industry in USA mostly, and it seems like one of their victims paid 4.29 BTC after being affected.

For not being affected, organizations should keep the applications up to date and detect these IoCs below to prevent this attack. Also you can read our short post about prevention agains ransomwares.























Virtual Machines Roles in Growing Number of Ransomware Attacks

Symantec Threat Hunter Team published a post about evidence that an increasing number of ransomware attackers are using virtual machines (VMs) in order to run their ransomware payloads on compromised computers. The purpose of using VMs on ransomware attacks is thought to hide the malicious activities. It is stated that this method is used in order to bypass the security solutions in virtual machines and to ensure that malicious codes can be hidden in the virtual machine.

In the past, a similar attack was seen on Windows XP machines by RagnarLocker ransomware. The same method now is used in Windows 7 machines.

It is important to prevent the installation of unauthorized virtual machines in corporate networks and implement NDR solutions to capture the anomalies in the network. In addition, Symantec published these IoCs to detect;

  • 2eae8e1c2e59527b8b4bb454a51b65f0ea1b0b7476e1c80b385f579328752836 – Installer
  • 9f801a8d6b4801b8f120be9e5a157b0d1fc3bbf6ba11a7d202a9060e60b707d8 – runner.exe
  • e5291bae18b0fa3239503ab676cacb12f58a69eb2ec1fd3d0c0702b5a29246cb – VirtualBox
  • d89bd47fb457908e8d65f705f091372251bae3603f5ff59afb2436abfcf976d8 – Mountlocker
  • 8f247e4149742532b8a0258afd31466f968af7b5ac01fdb7960ac8c0643d2499 – Mountlocker

A Quick Guide for Ransomware Protection

Unfortunately, ransomware problem is growing every day, although a lot of cases we hear and tens of articles and webinars are published about it. In this post, I try to explain the Protection processes against ransomware. Then, with more posts, I will try to explain every steps deeper.

If you have been exposed to it and your files are encrypted, there is nothing much to do. So, it may be important to read these measures.

  1. Asset Management: You must know all assets in your organization, especially all assets connecting to internet. Meanwhile, you must know immediately when a new device connected to your network. Additionally, devices using Outlook is also important. A device may be able to Access to internet with restiricted policies but it can get email from outside of the organization. Restriction policies on proxys and firewalls cannot work perfectly, and always have some problems on not categorized or newly websites. So, an asset management device and a NAC solution is very important to manage devices.
  2. Do not use RDP: Remote Desktop Protocol is a common method for attackers to remotely connect to systems, or move laterally and deploy malware. Protocols like Telnet, SSH, SMB, and RDP should not be open to the internet. You should continuously scan your public IP addresses to check whether there is a protocol like these open to the internet. If you still need to open, pay attention to these;
    1. Local admin accounts should be kept in safe with a PAM solution
    2. Change the default RDP port
    3. Implement IP restriction if possible
    4. Allow remote connection only with recording systems
    5. Multifactor authentication should be implemented.
    6. Network Level Authentication (NLA) can be activated on devices. NLA provides a pre authentication step and also protects the System against brute force attacks.
    7. Implement security policies via Group Policy, and deny local changes
  1. Disable administrative and hidden shares on clients:
  1. Block some file types for incoming emails: Block emails including executive files. IF there are some file types that you cannot block because of the business, you should you some measures like sandbox for incoming emails.
  1. Backup and regularly backup tests: If you lose your all sensitive data, it is very important to have usable backups. For this, firstly, you should separate and isolate your backup network from all others. So, in a situation of compromise, backup networks will be safe. If you lose your backup data too with all data, there is no any other way other than pay the ransom.

Separating and isolating the backup network is a good start, but it is not enough. You must regularly test backup data and should be ensure that they are working. If you have an unusable backup data when you need it, it only means you spent hundereds of gigabytes for nothing.

There is no a System protecting %100 against ransomware, so backups are becoming more critical in this situation.

  1. Patch your systems regularly: Especially, systems that are open to the internet should be patched quickly. For this, you should have test systems for all your critical systems and patch these tests firstly, then take action quickly for the production systems.
  1. Awareness: %91 of the attacks begins with email. For an attacker, it s very easy to deceive a user rather than trying to find weaknesses and exploit them. Even if you have hundreds of measurements agains cyber attacks, if one of your users accept and click a malicious email, it means you can be exposed.

A Sad Story: Don’t Invest, Just Prodigalize

Last week, a friend called me, gave some bad news about a company. The company was looking for help since they became a victim of Egregor ransomware and trying to learn what to do against attacker since the attacker got their all data, encrypted it and gave three days to be paid 500k dollars. The attacker threatened them to publish their data in public in three days. Meanwhile, the only problem was not that all data would be published publicly, but also they lost all their private data. But, how can it be possible?

Ransomware is the biggest problem of the cyber world for some years. We heard about it, work on it and have seen paid bitcoins too much in these years. There are tens (or maybe hundreds) of webinars, talks and articles about it, trying to help about being safe against ransomware. It is ok while the weakest link is human, it is possible to be exposed a ransomware but it is not too difficult to confine it to a small area. 

The company I told about above was a chemical company and of course has too many private data like formulas. I mean they also lost their backups while I am saying they lost all their data. Since, they did not isolate their backup network, their backups was also being encrypted. Meanwhile, they have some backup tapes but cannot use them because they have never tested whether the backup tapes working, and of course they did not when the company need them. 

There are some basic prevention steps against ransomware. If we mention briefly, we can say user awareness, regular phishing tests, not only an anti-spam product but also a sandbox or another technology against malicious emails, EDR to response faster against a malicious behavior, NDR to determine the anomaly in the network, to backup data and test these backups regularly, to isolate backup network so infiltrated attackers cannot harm backups, to isolate private data and apply need to know, to limit users’ internet access, and more. the list seems too long but most of them do not require much expenditure. But it if you do not invest to professionals and to any technology, then you just prodigalize your money. However, you can never count lost reputation and also secret formulas and data. 

All these measures can take too much. I can understand if a company cannot invest all of them for security. But as I said above, this company’s backup network is not isolated and can be accessed from all other networks. And, as I learnt, they only use an antivirus software but it is not up to date, and I am sure they do not track whether all PCs or servers have this antivirus. So, like these measures, most of them are not expensive. To have these measures at least, every company needs to invest talented security professionals to save money. However, I think, any of these measures cost more than 500k$ + reputation + publicly published private data. To invest security is not wasting money. It is directly saving money. Everyone needs to understand this without living.