Defray ransomware is being used in targeted attacks on organizations in the healthcare and education sectors. The new ransomware variant is being distributed via email; however, in contrast to many ransomware campaigns, the emails are not being sent out in the millions. Rather than use the spray and pay method of distribution, small campaigns are being conducted consisting of just a few emails.
To increase the likelihood of infection, the criminals behind Defray ransomware are carefully crafting messages to appeal to specific victims in an organization. Researchers at Proofpoint have captured emails from two small campaigns, one of which incorporates hospital logos in the emails and claims to have been sent by the Director of Information Management & Technology at the targeted hospital.
The emails contain an Microsoft Word attachment that appears to be a report for patients, relatives and carers. The patient report includes an embedded OLE packager shell object. If clicked, this executable downloads and installs Defray ransomware, naming it after a legitimate Windows file.
The ransom demand is considerable. Victims are asked to pay $5,000 per infected machine for the keys to unlock the encryption, although the ransom note does suggest the attackers are prepared to negotiate on price. The attackers suggest victims should backup their files to avoid having to pay ransoms in the future.
There is no known decryptor for defray ransomware. Files are encrypted using AES-256 with RAS-2048 used to encrypt the AES-256 encrypted password while SHA-2 is used to maintain file integrity. In addition to encrypting files, the ransomware variant can cause other disruption and will delete volume shadow copies to prevent the restoration of files without paying the ransom.
The developers of the ransomware have not given their malicious code a name and in contrast to most ransomware variants, the extensions of encrypted files are not changed. Proofpoint named the variant Defray ransomware from the C2 server used by the attackers.
A second campaign has been identified targeting the manufacturing and technology sector. In this case, the email appears to have been sent by a UK aquarium (Sea Life) with facilities around the world. The emails and attachments differ, although the same OLE packager shell object is used to infect end users.
The attackers have been sending these malicious emails to individuals, user groups and distribution lists. Attacks have occurred in both the United States and United Kingdom and are likely to continue.
Protecting against these targeted attacks requires a combination of spam filtering technology and end user training. Organizations in the healthcare, education, technology and manufacturing sectors should consider sending an email alert to end users warning of the risk of ransomware attacks, instructing end users to exercise caution and not to open email attachments from unknown senders and never to click to enable content on email attachments.