August 31, 2017 By Larry Loeb 2 min read

A new Defray ransomware variant is attacking at targeted sectors. One notable strike was aimed at health care and education verticals, while the other was aimed at manufacturing and technology.

New Ransomware Strain Capabilities

This type of malware has historically been a wide-ranging attack. But that all changes with the new Defray variant.

Proofpoint reported that its researchers came across Defray in the beginning of August during an attack on U.K. manufacturing and technology verticals. It started with a phishing email, with the sender posing as an aquarium representative. The email had the subject “Order/Quote,” along with a Microsoft Word document that contained an embedded executable and an OLE packager shell object.

This attack consisted only of a few messages in total and had lures that were specifically targeted to the victims. When the executable is clicked, the ransomware is dropped in the victim’s %TMP% folder with a name such as taskmgr.exe or explorer.exe. It is then executed.

No file names are changed in this attack, so the threat actors forgo the typical step of extension-marking encrypted files.

Another Day, Another Campaign

A second campaign, this time specific to health care and education, was discovered at the end of August. The poisoned attachment in this case purported to be from the director of Information Management and Technology from a U.K. hospital.

Proofpoint observed that the malware communicated with the command-and-control (C&C) server using both HTTP (cleartext) and HTTPS. Infection information was sent to the server, which was named Defray. This server became known as an identifier for the malware, rather than an appended extension to the encrypted files.

The researchers also noted that the malware authors provided email addresses to further interact with victims and negotiate ransom amounts. Of course, this is one way that the threat actors can be traced, so it remains to be seen how long these addresses are active.

Defray’s Characteristics

The recipients of the malware are individuals or distribution lists, such as group@ and websupport@, Proofpoint found. The geographic targeting is limited to the U.K. and the U.S. so far.

Proofpoint explained that “it is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains.” Instead, the ransomware could be used by specific threat actors with clear objectives.

As always, having current backups of data and not clicking on unknown attachments — no matter how good the social engineering — will be a proactive response to this threat.

More from

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - Quick recapThis blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this additional content. As a reminder, PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device,…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today