[MART] - Daily Diary #459 - Meet Entropy, Dridex Gang's New Ransomware.

CTAS-MAT ctas-mat at appgate.com
Wed Feb 23 21:45:39 UTC 2022


Hello,
I hope everyone is doing well!

Below is the entry for today.

02/23/2022 - Diary entry #459

This week a new ransomware was disclosed. Named Entropy, it seems to have connections with Dridex's Gang. Similar to most active modern ransomware, Entropy uses the double-extortion model, threatening to publish stolen data if the ransom is not paid, besides encrypting the infected systems.

Entropy has been found in systems breached with Dridex (Covered in our Daily Diaries #114, #116, in our Blog Posts "Reverse Engineering Dridex and Automating IOC Extraction" and "Breaking Dridex and Creating a Vaccine"), suggesting Entropy has a connection with EvilCorp gang (a.k.a Indrik Spider and TA505). Entropy also shares code with Dridex, unpacking and dynamically resolving DLLs in execution time.

Entropy also makes use of public tools in their attacks, like PsExec (to execute programs on remote systems), PsKill (to remotely terminate processes on the infected machine) and AdFind (to query Active Directory servers).

Although the attacks found so far using Entropy didn't look sophisticated, this new threat may evolve into another dangerous player in the Ransomware landscape. Especially considering how Dridex evolved from a simple banking trojan to one of the most dangerous multi-purpose botnets.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220223/baad9ac3/attachment.htm>


More information about the MART mailing list