Defray ransomware is being used in targeted hacking campaigns on groups in the healthcare and education sectors. The new ransomware variant is being shared via email; however, in contrast to many ransomware campaigns, the emails are not being distributed in the millions. Rather than use the spray and pay method of broadcast, smaller scale campaigns are being carried out consisting of just a few emails.
To boost the chances of a successful infection, the hackers behind Defray ransomware are carefully crafting messages to target to specific victims in a group. Researchers at Proofpoint have captured emails from two small campaigns, one of which includes hospital logos in the emails and claims to have been shared to the Director of Information Management & Technology at the hospital.
The emails include an Microsoft Word attachment that seems to be a report for patients, relatives and carers. The patient report incorporates an embedded OLE packager shell object. If the link is clicked on, this executable downloads and downloads Defray ransomware, naming it after an authentic Windows file.
The ransom demand is large. Victims are directed to pay $5,000 per infected device for the keys to unlock the encryption, although the ransom note does imply the hackers are prepared to negotiate on price. The hackers suggest victims should create a backup of their files to avoid having to pay ransoms going forward.
At present there is no known decryptor to tackle defray ransomware. Files are encrypted using AES-256 with RAS-2048 used to encrypt the AES-256 encrypted password while SHA-2 is used to control file integrity. ALong with to encrypting files, the ransomware variant can create other disruption and will erase volume shadow copies to prevent the restoration of files without paying the ransom.
The developers of the ransomware have not given their malicious code a title and in contrast to most ransomware variants, the extensions of encrypted files are not amended. Proofpoint named the variant Defray ransomware from the C2 server used by the hackers.
A second campaign has been discovered targeting the production and technology sector. In this case, the email seems to have been sent by a UK aquarium (Sea Life) with facilities around the world. The emails and attachments are not the same, although the same OLE packager shell object is used to infect end users.
The hackers have been sending these malicious emails to people, user groups and distribution lists. Attacks have happened in both the United States and United Kingdom and are likely to go on.
Safeguarding against these targeted attacks requires a combination of spam filtering software and end user training. Healthcare, education, technology and manufacturing companies should think about sending an email alert to end users warning of the dangers of ransomware attacks, advising end users to use caution and not to open email attachments from unknown senders and never to click on a link to allow content on email attachments.
