Code reuse in the malware landscape is escalating and the latest to join this list is little-known ransomware dubbed Entropy. 


  • A pair of recent cyberattacks targeting a North American media organization and a regional government entity, had deployed the Dridex trojan on targeted systems before launching the Entropy ransomware. 
  • In both attacks, the threat actors used specially crafted versions of the Entropy DLL that incorporated the target’s name in the ransomware code. 
  • Additionally, they leveraged legitimate tools and unpatched Windows systems to spread laterally. 
  • Upon further investigation into these attacks, researchers at Sophos found that there the ransomware bore resemblance with Dridex trojan.
  • While Entropy is a relatively new ransomware, Dridex is a well-known trojan that has been around since 2011.

Significant observations

  • Sophos researchers observed that both the malware share similarities in the way they are deployed on the victims’ systems.
  • The packer code used to evade detection of Entropy ransomware includes a signature employed by the packer code of Dridex.
  • Some of the subroutines used by Entropy to hide its behavior and to decrypt encrypted data also match with the Dridex’s functionalities. 
  • However, there are some other aspects of the new ransomware that makes it different from Dridex, according to researchers.
  • This includes the working methodology of the attackers to gain an initial foothold and the malware that was used in the final phase of the attacks.

Key takeaways

Regardless of the nature of these attacks, the researchers pointed out that the attackers could intrude into the networks due to the lack of due diligence of organizations. They had failed to patch vulnerable Windows systems with recent updates. Researchers highlighted that properly patched machines like the Exchange servers would have thwarted such attacks. Additionally, having MFA in place can prevent unauthorized users to log in to the machines. 

Cyware Publisher