Dridex Malware Downloader Connected to Entropy Ransomware

Dridex Malware Downloader Connected to Entropy Ransomware

The newly discovered Entropy ransomware shares coding similarities with the general-purpose Dridex malware, which began as a banking trojan. Researchers were able to connect the dots and establish a link between the two pieces of malware after two Entropy ransomware attacks on distinct businesses.

In a recent paper, Sophos lead researcher Andrew Brandt claims that a detection signature built for detecting Dridex triggered a closer look at the Entropy malware. Both target businesses had unsecured devices. However, endpoint protection measures halted the attack, which was initiated by detecting the Entropy packer code, despite the signature for recognizing the Dridex packer code.

SophosLabs analysts discovered that many other subroutines used by Entropy to mask its actions were comparable to those used by Dridex for the same purpose. According to the infosec community, Entropy ransomware might be a rebrand of Grief (a.k.a. Pay or Grief) ransomware, which is a continuation of the DoppelPaymer operation. New research from Sophos reveals that the identical packer code exists on Sophos-protected devices targeted with DoppelPaymer ransomware.

DoppelPaymer is linked to the EvilCorp gang (a.k.a. Indrik Spider), responsible for the phishing emails that spread the Dridex banking trojan turned malware downloader. The US Treasury Department sanctioned members of EvilCorp and firms affiliated with the group in 2019. According to the Treasury Department, ransomware negotiating businesses have stopped mediating ransom payments to avoid fines and legal action.

Sanctions could no longer be applied since EvilCorp renamed its ransomware activities. WastedLocker, Hades, and Phoenix are some of the ransomware names. The Entropy ransomware campaign has been taking data from hacked networks since at least November 2021. Like other ransomware groups, the Entropy organization put up a leak site to disclose the names of non-paying victims. As of this writing, the site features nine public and private sector entities. 

In the initial attack analyzed by Sophos, the threat actor used ProxyShell vulnerabilities in Exchange Server to gain remote access to a media business in North America and distribute Cobalt Strike beacons. Before encrypting machines with Entropy ransomware, the attackers spent four months moving laterally and collecting data.

In the second attack, the Dridex malware was installed on a computer belonging to a regional government entity. Dridex was then used to inject additional malware, pivoting to different systems. “Significantly, in this second attack, only 75 hours passed between the initial detection of a suspicious login attempt on a single machine and the attackers commencing data exfiltration” – Sophos


Both attacks were feasible, as per Sophos, because the targets possessed vulnerable Windows workstations that required current patches and upgrades. The researcher notes that initial access is more difficult for attackers by keeping workstations up to date and installing multi-factor authentication (MFA).

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.