August 31, 2017 By Larry Loeb 2 min read

A new Defray ransomware variant is attacking at targeted sectors. One notable strike was aimed at health care and education verticals, while the other was aimed at manufacturing and technology.

New Ransomware Strain Capabilities

This type of malware has historically been a wide-ranging attack. But that all changes with the new Defray variant.

Proofpoint reported that its researchers came across Defray in the beginning of August during an attack on U.K. manufacturing and technology verticals. It started with a phishing email, with the sender posing as an aquarium representative. The email had the subject “Order/Quote,” along with a Microsoft Word document that contained an embedded executable and an OLE packager shell object.

This attack consisted only of a few messages in total and had lures that were specifically targeted to the victims. When the executable is clicked, the ransomware is dropped in the victim’s %TMP% folder with a name such as taskmgr.exe or explorer.exe. It is then executed.

No file names are changed in this attack, so the threat actors forgo the typical step of extension-marking encrypted files.

Another Day, Another Campaign

A second campaign, this time specific to health care and education, was discovered at the end of August. The poisoned attachment in this case purported to be from the director of Information Management and Technology from a U.K. hospital.

Proofpoint observed that the malware communicated with the command-and-control (C&C) server using both HTTP (cleartext) and HTTPS. Infection information was sent to the server, which was named Defray. This server became known as an identifier for the malware, rather than an appended extension to the encrypted files.

The researchers also noted that the malware authors provided email addresses to further interact with victims and negotiate ransom amounts. Of course, this is one way that the threat actors can be traced, so it remains to be seen how long these addresses are active.

Defray’s Characteristics

The recipients of the malware are individuals or distribution lists, such as group@ and websupport@, Proofpoint found. The geographic targeting is limited to the U.K. and the U.S. so far.

Proofpoint explained that “it is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains.” Instead, the ransomware could be used by specific threat actors with clear objectives.

As always, having current backups of data and not clicking on unknown attachments — no matter how good the social engineering — will be a proactive response to this threat.

More from

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today