- Feb 25, 2017
- 2,492
A pair of incidents at different organizations in which attackers deployed a ransomware called Entropy were preceded by infections with tools that provided the attackers with remote access — Cobalt Strike beacons and Dridex malware — on some of the targets’ computers, before the attackers launched the ransomware.
Sophos analysts hadn’t encountered Entropy prior to these incidents. Notably, there were significant differences in the methodologies employed by the attackers between both cases: How the attackers gained a foothold in the targets; the time the attackers spent inside the target’s network; and the malware that was used to prepare the final phase of the attack were substantially different.
Some aspects of the attacks were consistent: In both cases, the attackers relied heavily on Cobalt Strike as a means to infect more machines, meeting variable levels of success depending on whether the target had protection installed on a given machine. The attackers also performed redundant exfiltration of private data to more than one cloud storage provider. During a forensic analysis, we encountered multiple instances of Dridex, the well-known, general-purpose malware that its operators can use to distribute other malware.
Source: Dridex bots deliver Entropy ransomware in recent attacks