Entropy Ransomware

The Entropy Ransomware is a malware threat that has been used in threatening operations since at least November 2021. The cybercriminals responsible for the threat use a double-extortion scheme to force their victims to pay the demanded ransom. First, they collect sensitive information and then deploy Entropy to lock the files on the compromised computers. The attackers then threaten to publish the exfiltrated information via a dedicated leak site. So far, the site of the groups lists nine total victims from both the public and private sectors.

Connection to Dridex and EvilCorp

According to a report released by Sophos, the Entropy Ransomware contains multiple similarities at the code level to the infamous Trojan threat known as Dridex. Dridex was developed as a banking Trojan initially but was soon equipped with expand intrusive functionality and turned into a general-purpose invasive threat. Dridex was spread via phishing emails and is attributed to the EvilCorp (Indrik Spider) hacker group.

This is not the only connection between EvilCorp and the Entropy Ransomware, though. In the report from Sophos, the researchers point out that systems, where Entropy's packer code was detected, also were targeted by the DoppelPaymer Ransomware. DoppelPaymer is another malware threat attributed to EvilCorp.

It should be pointed out that this is not the first attempt of the group to rebrand itself since the sanctions enacted by the U.S. Treasury Department in 2019. To avoid the ban, the hackers moved through several ransomware names including WastedLocker, Hades and Phoenix.