Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Epsilon Red Ransomware Hunts Unpatched Microsoft Exchange Servers

New Epsilon Red Ransomware Hunts Unpatched Microsoft Exchange Servers

A new ransomware threat calling itself Red Epsilon has been seen leveraging Microsoft Exchange server vulnerabilities to encrypt machines across the network.

Epsilon Red ransomware attacks rely on more than a dozen scripts before reaching the encryption stage and also use a commercial remote desktop utility.

Hitting vulnerable Microsoft Exchange server

Incident responders at cybersecurity company Sophos discovered the new Epsilon Red ransomware over the past week while investigating an attack at a fairly large U.S. company in the hospitality sector.

The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange server.

Andrew Brandt, principal researcher at Sophos, says in a report today that the attackers may have leveraged the ProxyLogon set of vulnerabilities to reach machines on the network.

The ProxyLogon bugs have been widely publicized as hackers jumped at the occasion and started to scan the web for vulnerable devices and compromise the systems.

Because of the critical severity, organizations across the world rushed to install the patches and in less than a month about 92% of the vulnerable on-premise Microsoft Exchange servers received the update.

Also Read: Data Protection Officer Singapore | 10 FAQs

Unique set of tools

Epsilon Red is written in Golang (Go) and is preceded by a set of unique PowerShell scripts that prepare the ground for the file-encryption routine, each having a specific purpose:

  • kill processes and services for security tools, databases, backup programs, Office apps, email clients
  • delete Volume Shadow Copies
  • steal the Security Account Manager (SAM) file containing password hashes
  • delete Windows Event Logs
  • disable Windows Defender
  • suspend processes
  • uninstall security tools (Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, Webroot)
  • expand permissions on the system

Most of the scripts are numbered 1 through 12 but there are a few that are named as a single letter. One of these, c.ps1, seems to be a clone of the penetration testing tool Copy-VSS.

source: Sophos​​​

After breaching the network, the hackers reach machines over RDP and use Windows Management Instrumentation (WMI) to install software and run PowerShell scripts that ultimately deploy Epsilon Red executable.

Sophos researchers noticed that the threat actor also installs a copy of Remote Utilities – a commercial software for remote desktop operations, and the Tor Browser. This move is to ensure that they still have a door open if they lose access through the initial entry point.

source: Sophos

REvil ransom note model

Peter Mackenzie, manager of the Sophos Rapid Response team, told BleepingComputer that although this version of Epsilon Red does not appear to be the work of professionals it can cause quite a mess as it comes with no restrictions for encrypting file types and folders.

The malware has little functionality apart from encrypting files and folders but it includes code from the open-source tool godirwalk, a library for traversing a directory tree on a file system.

This functionality enables Epsilon Red to scan the hard drive and add directory paths to a list of destinations for child processes that encrypt subfolders individually. In the end, infected machines will run a large number of copies of the ransomware process.

It encrypts everything in the targeted folders appending the suffix “.epsilonred”, without sparing executables or DLLs that could break essential programs or even the operating system.

In typical ransomware fashion, Epsilon Red drops in each processed folder the ransom note with instructions on how to contact the attackers for negotiating a data decryption price.

Also Read: The DNC Singapore: Looking at 2 Sides Better

If the instructions seem familiar it’s because the attackers use a spruced-up version of the ransom note used by REvil ransomware. However, Epsilon Red made an effort to correct the original grammar and spelling mistakes of the Russian gang.

While the origin of the hackers remains unknown at the moment, it is clear where they got their name from. Epsilon Red is a little-known character from the Marvel universe, a Russian super-soldier with four tentacles that can breath in space.

Despite being new in the ransomware business, the Epsilon Red ransomware gang has attacked several companies and the incidents are being investigated by multiple cybersecurity firms.

The hackers have also made some money. Sophos found that one victim of this ransomware threat paid the attackers 4.28 BTC on May 15 (about $210,000).

source: Sophos



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us