A new Ransomware exploiting Heathcare and Education is active. Here’s the latest on the New “DEFRAY” targeted Ransomware
The newly discovered Defray ransomware employs a more targeted approach than the usual “spray and pray” methods used by hackers. Reports say that Defray hackers are targeting healthcare, education, manufacturing, and technology organizations using a tailored social engineering strategy. These industries, healthcare specifically, have always been particular favorites of ransomware authors. The hackers are using legitimate e-mail industry specific e-mail addresses to trick users into believing the sender is a real person. They even have used logos and letterheads of real organizations embedded in the phishing e-mails they send.
Defray behavior and demands
As with most Ransomware, Defray is spread through phishing emails which try to coerce victims into downloading a malicious file, most commonly a Microsoft Word document with an embedded macro that infects the user’s computer and all network drives to which that computer is attached. The demand to undo the damage to your network is $5,000 in Bitcoins.
The proliferation of Ransomware through email is well-documented and about 79% of all Ransomware detected comes from spam mail.
Luckily, the Defray attacks have been relatively small, and so far only minor campaigns have been tracked. The phishing emails the authors use are well-crafted. For example, for an attack targeting a hospital, the phishing email was from a “hospital IT manager” and the malicious files were disguised as patient reports. In other emails, the attackers masqueraded as a UK-based aquarium company asking for a quote or order, and the malicious file had an “official” logo attached. The specificity and detail show a definite effort to convince targets of their legitimacy, and the more tailored lures show the attackers are investing in more specific targets.
The hackers typically drop a new TXT file onto a user’s desktop that contains the ransom message. Here is a sample of what one of those documents might look like:
This Defray ransom note includes a specific message for IT department
At this point, files have already been encrypted on the infected computer.
Despite cosmetic changes to the name, the malicious file content is the same. Attackers use a Word document with an embedded OLE packager object. If the victim clicks on the OLE file, the Ransomware (camouflaged as a taskmgr.exe or explorer.exe file) is installed. The ransom note that follows asks for $5,000 in bitcoin and also includes three email addresses for contacting the developers. The note actually encourages victims to email them, and even negotiate payment. The authors also provide an alternative communication channel—BitMessage—in case email takes too long. Reports confirm that after encrypting files, Defray will track programs that might interfere with its purpose—task manager or web browsers will be shut down with a GUI.
