This new ransomware has been spotted in two very different attacks, say researchers

Researchers uncovered Entropy ransomware while investigating separate incidents - which could have been prevented by applying cybersecurity patches.
Written by Danny Palmer, Senior Writer

A new form of ransomware has been spotted by security company researchers after they saw it being used against two different organisations.

Dubbed Entropy, the new ransomware has been detailed by cybersecurity researchers at Sophos who uncovered it on the networks of two organisations – a media company and a regional government – after being called in to investigate the two separate incidents within the space of a week.  

The attackers compromised the media company by exploiting ProxyShell vulnerabilities to install remote shells on unpatched Microsoft Exchange servers, before using Cobalt Strike, a legitimate penetration testing tool often exploited by cyber criminals, to investigate the network over a four-month period. Analysis of infected machines also revealed that Dridex trojan malware had been installed. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

Dridex was also detected on the network of the regional government organisation. In this case, Dridex was directly delivered via a phishing email. Then the malware was itself used to deliver additional malware and remote access. In this attack, it was only 75 hours between the initial compromise and the cyber criminals stealing data. 

"They were both using Dridex, and that obviously set off a few alarm bells," Peter Mackenzie, director of incident response at Sophos, told ZDNet. 

Dridex has been active since at least 2011 and became a popular tool for cyber criminals to distribute malware, ransomware and other malicious payloads. In 2019, the US Department of Justice announced charges against two Russian nationals suspected of being behind Dridex

In fact, when analysing Entropy, a new ransomware variant, detection tools initially identified it as Dridex itself because of similarities in the code. Not only that, but analysis of the malware showed that additional work had been done to optimise it. 

The updated code also contains text that mentions the targeted organisation's name, followed by "…falls apart. Entropy Increases", which is a line from John Green's 2005 novel, Looking For Alaska

Dridex is linked to Evil Corp, a cyber-criminal gang behind a string of ransomware attacks, deploying variants including BitPaymer, DoppelPaymer, WastedLocker, Hades and Macaw ransomware. However, it's also possible that the code has been borrowed or stolen and this could be a misdirection attempt from other cyber criminals. The nature of the malware ecosystem means it's extremely difficult to be 100% confident of attribution. 

As researchers note, both targets had vulnerable Windows systems that lacked current patches and updates, which allowed them to be compromised. As is the case with many common cyberattacks, including ransomware, patching networks with the appropriate security updates can go a long way to preventing intruders from getting onto the network in the first place – as can applying multi-factor authentication

"In both cases, the attackers relied upon a lack of diligence – both targets had vulnerable Windows systems that lacked current patches and updates," Sophos said. It noted that properly patched machines, like the Exchange server, would have forced the attackers to work harder to make their initial access into the organizations they penetrated. 

"A requirement to use multi-factor authentication, had it been in place, would have created further challenges for unauthorized users to log in to those or other machines," it noted.

SEE: A winning strategy for cybersecurity (ZDNet special report)

Organisations can also help prevent attacks by actively monitoring their networks for suspicious activity by potential intruders, which might indicate that something should be investigated and removed. 

"They will keep trying unless someone kicks them off the network. They're just going to keep trying, so you have to have a security team either internally or externally that is monitoring your environment and is looking out for these signs that someone is in," said Mackenzie. 

"If you don't support those warning signs, it is just a matter of time before they will eventually win," he said.  


Editorial standards