A new Defray ransomware variant is attacking at targeted sectors. One notable strike was aimed at health care and education verticals, while the other was aimed at manufacturing and technology.

New Ransomware Strain Capabilities

This type of malware has historically been a wide-ranging attack. But that all changes with the new Defray variant.

Proofpoint reported that its researchers came across Defray in the beginning of August during an attack on U.K. manufacturing and technology verticals. It started with a phishing email, with the sender posing as an aquarium representative. The email had the subject “Order/Quote,” along with a Microsoft Word document that contained an embedded executable and an OLE packager shell object.

This attack consisted only of a few messages in total and had lures that were specifically targeted to the victims. When the executable is clicked, the ransomware is dropped in the victim’s %TMP% folder with a name such as taskmgr.exe or explorer.exe. It is then executed.

No file names are changed in this attack, so the threat actors forgo the typical step of extension-marking encrypted files.

Another Day, Another Campaign

A second campaign, this time specific to health care and education, was discovered at the end of August. The poisoned attachment in this case purported to be from the director of Information Management and Technology from a U.K. hospital.

Proofpoint observed that the malware communicated with the command-and-control (C&C) server using both HTTP (cleartext) and HTTPS. Infection information was sent to the server, which was named Defray. This server became known as an identifier for the malware, rather than an appended extension to the encrypted files.

The researchers also noted that the malware authors provided email addresses to further interact with victims and negotiate ransom amounts. Of course, this is one way that the threat actors can be traced, so it remains to be seen how long these addresses are active.

Defray’s Characteristics

The recipients of the malware are individuals or distribution lists, such as group@ and websupport@, Proofpoint found. The geographic targeting is limited to the U.K. and the U.S. so far.

Proofpoint explained that “it is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains.” Instead, the ransomware could be used by specific threat actors with clear objectives.

As always, having current backups of data and not clicking on unknown attachments — no matter how good the social engineering — will be a proactive response to this threat.