Entropy Ransomware Delivered by Dridex

Industry: Government, Media | Level: Tactical | Source: Sophos

Sophos investigation has identified two organizations in media and government reporting of cyberattacks using Entropy ransomware. A review of the incident identified Dridex as the likely source of the attack and from a comparison between the two malware, there are similarities in their code to suggest a shared origin. The attacked media organization was exploited initially with the ProxyShell vulnerability and over a four-month timespan, attackers probed and exfiltrated data from the organization, prior to executing the ransomware. The ransomware attack against the government organization was executed much quicker as approximately 75 hours passed following a suspicious login to data exfiltration of compressed files to multiple cloud storage providers. In both attacks, a wide range of tools were identified having been utilized, including Cobalt Strike (unsuccessfully launched), PsExec, PsKill, AdFind, WinRAR and Metasploit’s Meterpreter. During the final stages of the attack, the attackers copied files to share folders including the ransomware file and scripts to copy and execute the ransomware. PsExec is used to facilitate the script’s execution and Regsvr32 is used for the execution of the Entropy ransomware.

• Anvilogic Scenarios:
• Entropy Ransomware Attack
• Malicious Document Delivering Malware
• Anvilogic Use Cases:
• Potential ProxyShell
• Remote Admin Tools
• PSexec Service Creation
• Meterpreter Reverse Shell
• Adfind Execution
• Adfind Commands
• regsvr32 Execution