Defray Ransomware Using Custom Logo’s to Gain Access to Data

By:  |  Category: Blog, Security Tuesday, September 5th, 2017  |  No Comments

A new strain of ransomware called Defray has recently been reported. Defray, unlike most wide-ranging ransomware attacks, is specifically targeting healthcare, education, manufacturing, and technology using custom crafted logos and emails.

Defray spreads through phishing emails that includes a document that contains the ransomware with a payment demand of $5,000.

According to Proofpoint, Defray is a social engineering exploit utilizing custom-crafting emails to appeal to the recipient. Typically, the attachments use specific logos depending on which vertical they are targeting to appear legitimate.

Strangely enough, in addition to the ransom demand, the hackers note it is possible to negotiate a smaller ransom demand, and highlight the strength of the ransomware to persuade victims from attempting to move towards decryption.

New Ransomware Strain Capabilities

Proofpoint reported that its researchers came across Defray in the beginning of August during an attack on U.K. manufacturing and technology verticals. It started with a phishing email, with the sender posing as an aquarium representative. The email had the subject “Order/Quote,” along with a Microsoft Word document that contained an embedded executable and an OLE packager shell object.

This attack consisted only of a few messages in total and had lures that were specifically targeted to the victims. When the executable is clicked, the ransomware is dropped in the victim’s %TMP% folder with a name such as taskmgr.exe or explorer.exe. It is then executed.

No file names are changed in this attack, so the threat actors forgo the typical step of extension-marking encrypted files.

Healthcare Targeted

A second campaign, this time specific to health care and education, was discovered at the end of August. The poisoned attachment in this case purported to be from the director of Information Management and Technology from a U.K. hospital.

Proofpoint observed that the malware communicated with the command-and-control (C&C) server using both HTTP (cleartext) and HTTPS. Infection information was sent to the server, which was named Defray. This server became known as an identifier for the malware, rather than an appended extension to the encrypted files.

The researchers also noted that the malware authors provided email addresses to further interact with victims and negotiate ransom amounts. Of course, this is one way that the threat actors can be traced, so it remains to be seen how long these addresses are active.

Defray’s Targets
The recipients of the malware are individuals or distribution lists, such as [email protected] and [email protected], Proofpoint found. The geographic targeting is limited to the U.K. and the U.S. so far.

Proofpoint explained that “it is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains.” Instead, the ransomware could be used by specific threat actors with clear objectives.

As a general rule, keep your data backups current and think before you click— no matter how well you know the person.

If you need help with comprehensive cyber security strategy, give EnhancedTECH a call at 714-970-9330 x290 or contact us at [email protected] for a complimentary security consultation.


Source image: https://www.pexels.com/photo/aged-antique-classic-keys-429246/

Leave a Comment
Read previous post:
IRS Ransomware Scam

All of us mildly panic when the IRS comes a calling-unless they are offering a refund. No one (other than...