WatchPoint Security Blog

Defray Ransomware Using Personalized Attacks to Net Big Paydays

Written by Jordan Kadlec | September 13, 2018

Photo courtesy of ThreatVector.com

Defray, a new ransomware variant discovered by Proofpoint, is targeting specific businesses and using convincing, customized email lures designed to net major paydays. The ransomware campaign is believed to be targeting healthcare, education, manufacturing and technology industries and demands $5,000 in Bitcoin to get their files decrypted.

How the Defray Ransomware Campaign Works

Based on initial investigations, Defray ransomware comes in two forms that we have recently discussed in past articles: Phishing and Business Email Compromise (BEC). What sets Defray apart from typical ‘spray and pray’ ransomware or phishing campaigns is the amount of customization involved in the emails. Each email sent is specifically tailored to the targeted company – referencing specific executives at the organization, including the organization’s logo in the email, and even presenting the emails and attachments in an appropriate context that the recipients at the organization would expect.

A recent Defray ransomware attack at a UK-based hospital used the BEC approach and sent a ‘Patient Report’ that looked like it came from the hospital’s Director of IT. In another instance, an email was disguised as a quote from a representative at a major UK-based aquarium.

When the attachment is opened and clicked on, an embedded executable drops the Defray payload in the %TMP% folder disguised with a commonly seen name such as taskmgr.exe or explorer.exe. Unlike other very popular forms of ransomware, Defray does not change the name or append extensions to the end of encrypted files. On top of that, Defray deletes volume shadow copies, making it more difficult to recover encrypted files via backups.

Once the encryption process is completed, Defray creates ransom notes in each folder that has encrypted files. The ransom note, titled FILES.TXT, provides further indication that the ransomware campaign is targeting businesses rather than individuals.

“Don’t panic, read this and contact someone from IT department,” reads the first sentence of the ransom note. The creators of Defray are quite confident in their product, stating: “This is custom developed ransomware, decrypter won’t be made by an antivirus company.”

As we mentioned before, the ransom demanded is $5,000 in Bitcoin. It appears the distributors of the ransomware want bigger paydays for the amount of legwork they are putting in. Typically, ransoms are around $1,000. However, those campaigns use the ‘spray and pray’ technique and are trying to infect anyone and everyone.

Protect Against Defray Ransomware

With companies and their employees becoming more and more aware of cybersecurity risks, we can presume that more ransomware, phishing, or BEC attacks such as Defray are being developed. Like these attacks, our education on cybersecurity risks must become more in-depth. Each time a threat like Defray appears, companies need to instruct their employees to be on the lookout for the types of emails included in the campaign. Considering the amount of personalization involved in making these attacks so successful, however, relying on every single employee to not get fooled into clicking on a malicious link is quite risky. Find out how WatchPoint can serve as the perfect employee safety net and protect you from these types of cybersecurity risks.