The newly discovered Entropy ransomware shares coding similarities with the general-purpose Dridex malware, which began as a banking trojan. Researchers were able to connect the dots and establish a link between the two pieces of malware after two Entropy ransomware attacks on distinct businesses.
In a recent paper, Sophos lead researcher Andrew Brandt claims that a detection signature built for detecting Dridex triggered a closer look at the Entropy malware. Both target businesses had unsecured devices. However, endpoint protection measures halted the attack, which was initiated by detecting the Entropy packer code, despite the signature for recognizing the Dridex packer code.
SophosLabs analysts discovered that many other subroutines used by Entropy to mask its actions were comparable to those used by Dridex for the same purpose. According to the infosec community, Entropy ransomware might be a rebrand of Grief (a.k.a. Pay or Grief) ransomware, which is a continuation of the DoppelPaymer operation. New research from Sophos reveals that the identical packer code exists on Sophos-protected devices targeted with DoppelPaymer ransomware.
DoppelPaymer is linked to the EvilCorp gang (a.k.a. Indrik Spider), responsible for the phishing emails that spread the Dridex banking trojan turned malware downloader. The US Treasury Department sanctioned members of EvilCorp and firms affiliated with the group in 2019. According to the Treasury Department, ransomware negotiating businesses have stopped mediating ransom payments to avoid fines and legal action.
Sanctions could no longer be applied since EvilCorp renamed its ransomware activities. WastedLocker, Hades, and Phoenix are some of the ransomware names. The Entropy ransomware campaign has been taking data from hacked networks since at least November 2021. Like other ransomware groups, the Entropy organization put up a leak site to disclose the names of non-paying victims. As of this writing, the site features nine public and private sector entities.
In the initial attack analyzed by Sophos, the threat actor used ProxyShell vulnerabilities in Exchange Server to gain remote access to a media business in North America and distribute Cobalt Strike beacons. Before encrypting machines with Entropy ransomware, the attackers spent four months moving laterally and collecting data.
In the second attack, the Dridex malware was installed on a computer belonging to a regional government entity. Dridex was then used to inject additional malware, pivoting to different systems. “Significantly, in this second attack, only 75 hours passed between the initial detection of a suspicious login attempt on a single machine and the attackers commencing data exfiltration” – Sophos
Both attacks were feasible, as per Sophos, because the targets possessed vulnerable Windows workstations that required current patches and upgrades. The researcher notes that initial access is more difficult for attackers by keeping workstations up to date and installing multi-factor authentication (MFA).
