fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Entropy Ransomware Linked to Evil Corp’s Dridex Malware

Entropy Ransomware Linked to Evil Corp’s Dridex Malware

Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general purpose Dridex malware that started as a banking trojan.

Two Entropy ransomware attacks against different organizations allowed researchers to connect the dots and establish a connection between the two pieces of malware.

Dridex code used in Entropy ransomware

In a report today, Sophos principal researcher Andrew Brandt says that deeper inspection of the Entropy malware was prompted by a detection signature that had been created for catching Dridex.

Also Read: AI Auditing Framework: Draft Guidance for Organizations

Both victim organizations had unprotected machines, but the systems running endpoint protection stopped the attack, triggered by detecting the packer code for protecting Entropy, although the signature was for identifying the packer code for Dridex.

SophosLabs analysts found that some of the other subroutines that Entropy relies on to hide its behavior were similar to those for the same functionality in Dridex.

“The instructions that dictate how Entropy performs the first ”layer“ of unpacking are similar enough to Dridex that the analyst who looked at the packer code, and in particular the portion that refers to an API called LdrLoadDLL – and that subroutine’s behavior, described it as ”very much like a Dridex v4loader,“ and compared it to a similar loader used by a Dridex sample from 2018”

There’s suspicion in the infosec community that Entropy ransomware is a rebrand of Grief (a.k.a. Pay or Grief) ransomware, which is a continuation of the DoppelPaymer operation.

Entropy ransomware suspected rebrand of Grief/DoppePaymer operation

These suspicions grow stronger with today’s report from Sophos, which notes that the same packer code was detected on Sophos-protected systems targeted with DoppelPaymer ransomware.

DoppelPaymer is attributed to the EvilCorp gang (a.k.a. Indrik Spider), which is behind the distribution of the Dridex banking trojan turned malware downloader via phishing emails.

Members of EvilCorp and companies associated with the group have been sanctioned in 2019 by the U.S. Treasury Department, causing ransomware negotiation firms to stop mediating ransom payments to avoid fines and legal actions.

EvilCorp decided to rename their ransomware operations, so sanctions could no longer be applied. Some of the ransomware names used are WastedLockerHades, and Phoenix.

The Entropy ransomware operation started since at least November 2021, stealing data from breached networks. In the style of other ransomware operations, the Entropy group set up a leak site to publish the names of non-paying victims. As of this writing, the site lists nine organizations in the public and private sector.

Also Read: How to Make Data Protection Addendum Template in Simple Way

Entropy ransomware attacks

In the first attack that Sophos analyzed, the threat actor exploited ProxyShell vulnerabilities in Exchange Server for remote access into a media organization in North America and deployed Cobalt Strike beacons.

The attackers spent four months moving laterally and stealing data before encrypting computers using Entropy ransomware.

Ransom note for Entropy ransomware
source: Sophos

The second attack deployed the Dridex malware on a computer belonging to a regional government organization. Dridex was then used to funnel in other malware that allows pivoting to other systems.

“Significantly, in this second attack, only 75 hours passed between the initial detection of a suspicious login attempt on a single machine and the attackers commencing data exfiltration” – Sophos

Sophos notes that both attacks were possible because the targets had vulnerable Windows machines “that lacked current patches and updates.”

Keeping machines up-to-date and implementing multi-factor authentication (MFA) makes initial access a more difficult task for attackers, the researcher note.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us