Earlier this month, researchers at Proofpoint spotted a targeted ransomware campaign against education and healthcare organizations. The ransomware used in the campaign was dubbed Defray, based on the command and control (C&C) server hostname used for the first observed attack:
The ransomware is being spread via Microsoft Word document attachments in email.
The researchers observed two targeted attack on Aug. 15, and on Aug. 22, and both appeared to be designed for specific organizations.
The attack on August 22, aimed primarily at Healthcare and Education involving messages with a Microsoft Word document containing an embedded executable (specifically, an OLE packager shell object). The attachment features a UK hospital logo in the upper right and purports to be from the Director of Information Management & Technology at the hospital.
The attack on August 15 targeted Manufacturing and Technology verticals, attackers used messages with the subject “Order/Quote” and a Microsoft Word document containing an embedded executable (also an OLE packager shell object).
The attachment used a lure referencing a UK-based aquarium purported to be from a representative of the aquarium.
The attackers behind the Defray ransomware ask for $5,000, but researchers highlighted that the ransom note contains several email addresses, presumably of the cybercriminal Igor Glushkov,to allow victims to “negotiate a smaller ransom or ask questions.”
The Defray ransomware targets a hardcoded list of file types but doesn’t change the file extension names. After encryption is complete, the Defray ransomware may cause other general havoc on the system by disabling startup recovery and deleting volume shadow copies. On Windows 7, it monitors and kills running programs with a GUI, such as the task manager and browsers.
Experts speculate the threat could be being used privately and for this reason, it is less likely Defray ransomware will continue to be used in limited, targeted attacks.
“Defray Ransomware is somewhat unusual in its use in small, targeted attacks. Although we are beginning to see a trend of more frequent targeting in ransomware attacks, it still remains less common than large-scale “spray and pray” campaigns. It is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains. Instead, it appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely” concluded Proofpoint.
(Security Affairs – Defray Ransomware, hacking)