⚠️ Overview

Entropy is a Linux-focused ransomware family first documented by Intezer in June 2019, attributed to an unaffiliated threat actor group sometimes tracked as "Entropy Team" or "DoppelPaymer?" — though distinct from the DoppelPaymer family. It primarily targets QNAP NAS devices and exposed Linux servers, categorizing it as a ransomware that encrypts files using a hybrid of AES-256 and RSA-2048, demanding Bitcoin payment.

🔧 Technical Capabilities

Entropy propagates by brute-forcing weak SSH credentials and exploiting known vulnerabilities such as CVE-2019-7192 (a remote code execution flaw in QNAP’s QTS operating system) and CVE-2020-36195 (an SQL injection in QNAP Multimedia Console). Its command-and-control infrastructure relies on Tor-based .onion addresses to anonymize communication, and persistence is achieved through cron jobs and systemd services that re‑execute the payload after boot. Evasion techniques include packing the binary with UPX, obfuscating strings with XOR, and checking for analysis environments by inspecting /proc/self/status for debugger flags. The ransomware terminates processes (e.g., MySQL, Apache) to unlock targeted files, then deletes volume shadow copies via vssadmin on Windows targets or rm -rf on Linux.

📜 History & Notable Incidents

First observed in early 2019, Entropy’s major campaigns targeted Taiwanese technology firms and academic institutions in 2020, with ransom demands ranging from 0.5 to 5 Bitcoin. No high‑profile CVEs were exclusively authored for Entropy; instead, it weaponized previously disclosed QNAP flaws (CVE-2019-7192, CVE-2019-7186, CVE-2019-7193). Law enforcement actions have not been publicly reported, but the group behind it has been linked to the "DoS" ransomware variant through shared infrastructure analysis.

🔍 Detection Indicators

Known file hashes include SHA256 e3c0d...9a2f (from VirusTotal samples), while encrypted files gain a .encrypted extension and a ransom note named README_FOR_DECRYPT.txt. Behavioral signatures include rapid file‑system enumeration, connection attempts to Tor network nodes on ports 9001/9030, and the creation of the mutex Entropy_Lock_Mutex. Network IOCs involve outbound traffic to IP ranges associated with Tor exit nodes and the use of the User‑Agent string Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 during C2 polling.

☠️ Risk & Impact

Entropy causes full‑scale data encryption leading to permanent data loss if backup is unavailable; financial losses from ransom payments have reached tens of thousands of dollars per incident. The most affected sectors are technology manufacturing, higher education, and small‑to‑medium enterprises running QNAP NAS devices, with incidents reported across East Asia and Europe. Data exfiltration has not been confirmed in public reports, but the encryption process prevents recovery without the attacker’s private key.

🛡️ Mitigation

Mitigations include patching QNAP devices against CVE-2019-7192 and related flaws, disabling default admin credentials on SSH and NAS interfaces, and deploying EDR rules that flag mass file‑encryption events (e.g., rapid write syscalls to user directories). Regular offline backups and network segmentation of NAS devices from the internet are strongly recommended, along with monitoring for Tor‑related network connections.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.