Defray Ransomware Using Custom Logo’s to Gain Access to Data

By:  |  Category: Blog, Security Tuesday, September 5th, 2017  |  No Comments
Defray

A new strain of ransomware called Defray has recently been reported. Defray, unlike most wide-ranging ransomware attacks, is specifically targeting healthcare, education, manufacturing, and technology using custom crafted logos and emails.

Defray spreads through phishing emails that includes a document that contains the ransomware with a payment demand of $5,000.

According to Proofpoint, Defray is a social engineering exploit utilizing custom-crafting emails to appeal to the recipient. Typically, the attachments use specific logos depending on which vertical they are targeting to appear legitimate.

Strangely enough, in addition to the ransom demand, the hackers note it is possible to negotiate a smaller ransom demand, and highlight the strength of the ransomware to persuade victims from attempting to move towards decryption.

New Ransomware Strain Capabilities

Proofpoint reported that its researchers came across Defray in the beginning of August during an attack on U.K. manufacturing and technology verticals. It started with a phishing email, with the sender posing as an aquarium representative. The email had the subject “Order/Quote,” along with a Microsoft Word document that contained an embedded executable and an OLE packager shell object.

This attack consisted only of a few messages in total and had lures that were specifically targeted to the victims. When the executable is clicked, the ransomware is dropped in the victim’s %TMP% folder with a name such as taskmgr.exe or explorer.exe. It is then executed.

No file names are changed in this attack, so the threat actors forgo the typical step of extension-marking encrypted files.

Healthcare Targeted

A second campaign, this time specific to health care and education, was discovered at the end of August. The poisoned attachment in this case purported to be from the director of Information Management and Technology from a U.K. hospital.

Proofpoint observed that the malware communicated with the command-and-control (C&C) server using both HTTP (cleartext) and HTTPS. Infection information was sent to the server, which was named Defray. This server became known as an identifier for the malware, rather than an appended extension to the encrypted files.

The researchers also noted that the malware authors provided email addresses to further interact with victims and negotiate ransom amounts. Of course, this is one way that the threat actors can be traced, so it remains to be seen how long these addresses are active.

Defray’s Targets
The recipients of the malware are individuals or distribution lists, such as group@ and websupport@, Proofpoint found. The geographic targeting is limited to the U.K. and the U.S. so far.

Proofpoint explained that “it is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains.” Instead, the ransomware could be used by specific threat actors with clear objectives.

As a general rule, keep your data backups current and think before you click— no matter how well you know the person.

If you need help with comprehensive cyber security strategy, give EnhancedTECH a call at 714-970-9330 x290 or contact us at sales@enhancedtech.com for a complimentary security consultation.

Samantha Keller

Samantha Keller

Director of Marketing and PR at EnhancedTECH
Samantha Keller (AKA Sam) is a published author, tech-blogger, event-planner and mother of three fabulous humans. Samantha has worked in the IT field for the last fifteen years, intertwining a freelance writing career along with technology sales, events and marketing. She began working for EnhancedTECH ten years ago after earning her Bachelor’s degree from UCLA and attending Fuller Seminary. She is a lover of kickboxing, extra-strong coffee, and Wolfpack football.Her regular blog columns feature upcoming tech trends, cybersecurity tips, and practical solutions geared towards enhancing your business through technology.
Samantha Keller

Latest posts by Samantha Keller (see all)

Leave a Comment
Read previous post:
collaboration
3 Best Practices in Using Collaboration Apps

Collaboration tools have helped companies expand well beyond the four walls of their office, giving employees free rein to work...

Close