The researchers at Proofpoint has discovered a new variant of Defray ransomware targeting healthcare, educational and manufacturing sectors. Researchers discovered Defray earlier on August first week during a phishing attack on U.K manufacturing and technology verticals. By August end, Defray spreaded across healthcare and educational sectors in UK.
How Defray enters a network?The Defray attack started with a phishing email which was disguised as an order/quote from a representative on a UK based aquarium.
The email consists a word document with an embedded execute (also an OLE packager shell object) and if the victim clicks the embedded executable, the ransomware is dropped in the victim’s %TMP% folder. The file name could be such as taskmgr.exe or explorer.exe.Defray ransomware :- Encrypts the files
- Delete the shadow file copies
- Make users more difficult to recover encrypted files via backup
- No file names or extensions are changed.
Experts also observed Defray communicating with external command and control server using both HTTPS and HTTP and infection was reported to the server.
Once the files are encrypted, the Defray ransomware creates a ransom note named FILES.TXT which contains the text below:Don't panic, read this and contact someone from IT department.Your computer has been infected with a virus known as ransomware.All files including your personal or business documents, backups and projects are encrypted.Encryption is very sophisticated and without paying a ransom you won't get your files back.You could be advised not to pay, but you should anyway get in touch with us.Ransom value for your files is 5000$ to be paid in digital currency called Bitcoin.If you have questions, write us.If you have doubts, write us.If you want to negotiate, write us.If you want to make sure we can get your files back, write us.[email protected][email protected][email protected]In case we don't respond to an email within one day, download application called BitMessage and reach to us for the fastest response.BitMessage BM-2cVPKqFb5ZRaMuYdryqxsMNxFMudibvnY6########################################################To someone from IT departmentThis is custom developed ransomware, decrypter won't be made by an antivirus company. This one doesn't even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It's written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups. According to Proofpoint researchers “
It is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains. Instead, it appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely".
