Researchers Find Similarities Between Dridex Trojan and Entropy Ransomware

Background

• A pair of recent cyberattacks targeting a North American media organization and a regional government entity, had deployed the Dridex trojan on targeted systems before launching the Entropy ransomware. 
• In both attacks, the threat actors used specially crafted versions of the Entropy DLL that incorporated the target’s name in the ransomware code. 
• Additionally, they leveraged legitimate tools and unpatched Windows systems to spread laterally. 
• Upon further investigation into these attacks, researchers at Sophos found that there the ransomware bore resemblance with Dridex trojan.
• While Entropy is a relatively new ransomware, Dridex is a well-known trojan that has been around since 2011.

Significant observations

• Sophos researchers observed that both the malware share similarities in the way they are deployed on the victims’ systems.
• The packer code used to evade detection of Entropy ransomware includes a signature employed by the packer code of Dridex.
• Some of the subroutines used by Entropy to hide its behavior and to decrypt encrypted data also match with the Dridex’s functionalities. 
• However, there are some other aspects of the new ransomware that makes it different from Dridex, according to researchers.
• This includes the working methodology of the attackers to gain an initial foothold and the malware that was used in the final phase of the attacks.

Key takeaways