<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Security Alert
Jonathan Crowe
Aug 2017

Alert: Defray Ransomware Launching Extremely Personalized Attacks

defray-ransomware-alert.jpg

Defray ransomware is targeting specific businesses and using convincing, customized email lures designed to net bigger paydays.

Key Details

  • What's happening: A newly identified ransomware variant called Defray is making the rounds via highly targeted, customized email campaigns.
  • Who's being targeted: Verticals currently under attack include Healthcare, Education, Manufacturing, and Technology.
  • Demand amount: Victims are instructed to pay $5,000 in Bitcoin to get their files decrypted.
  • What's new or different: These aren't your average one-size-fits-all spam emails. Attackers have customized them specifically for the target by spoofing corporate email addresses and including company logos in the attachments.
  • What's the same:

    Barkly blocks Defray automatically, before it has the chance to encrypt any files. Watch for yourself in the video below:

     
  • empty
  • empty
  • empty

Keep your company safe from new malware campaigns like this one automatically, no updates necessary.
Get a demo

Researchers at Proofpoint have discovered a new ransomware variant being actively distributed in targeted email campaigns. So far, the attackers behind "Defray" have been highly selective with their attacks, going after US and UK-based organizations in the Healthcare, Education, Manufacturing, and Technology verticals.

It's an interesting shift away from the typical "spray and pray" ransomware distribution model. These campaigns appear to be clearly prioritizing personalization — and higher success rates — over volume. 

Attackers creating customized Word document attachments for each target

What sets these Defray attacks apart from the majority of large-scale ransomware email campaigns is the amount of customization going into each "lure".

We've become increasingly used to seeing generic phishing emails carrying fake invoice attachments, but the emails distributing Defray are specifically tailored to the target organization — referencing specific executives at the organization, featuring the organization's logo, and even presenting the emails and attachments in an appropriate context that the recipients at the organization would expect.

Examples:

One email campaign directed at employees at a UK-based hospital was made to look like a "Patient Report" coming from the hospital's Director of IT. 

defray-ransomware-attachment-example1.png

Customized malicious Word document attachment delivered to UK hospital. Source: Proofpoint

Another email was disguised as an order/quote sent from a representative at a major UK-based aquarium.

defray_ransomware_attachment_example2.png

Customized malicious attachment sent to manufacturing and technology companies disguised as a quote from a major acquarium. Source: Proofpoint

 

Once opened and clicked on, the attachments launch an embedded executable (an OLE packager shell object) that drops the Defray payload in the %TMP% folder disguised with a common name such as taskmgr.exe or explorer.exe. 

Defray encrypts a wide variety of file types it finds on the victim's machine, but does not change the file names or extensions. 

It also deletes volume shadow copies (making it more difficult to recover encrypted files via backup), and on Windows 7 devices it's been observed killing running programs such asweb browsers and the task manager.

Ransom demand includes note to IT

Once it has completed encrypting the victim's files, Defray creates ransom notes named FILES.TXT. 

Defray-ransomware-note-1.png

The ransom note provides further indication the targets of Defray campaigns are businesses, not consumers. Readers are instructed to contact someone from their IT department, and specfically state the victim's business documents, backups, and projects are encrypted. 

The note also includes a note to IT, explaining that the ransomware has been built and tested professionally and that no security companies will be releasing a decryptor. To add insult to potential injury, it also recommends the organization use offline backups to prevent an attack like this from happening again.

Don't panic, read this and contact someone from IT department.
Your computer has been infected with a virus known as ransomware.
All files including your personal or business documents, backups and projects are encrypted.
Encryption is very sophisticated and wihtout paying a ransom you won't get your files back.
You could be advised not to pay, but you should anyway get in touch with us.
Ransom value for your files is 5000$ to be paid in digital currency called Bitcoin.
If you have questions, write us.
If you have doubts, write us.
If you want to negotiate, write us.
If you want to make sure we can get your files back, write us.

glushkov@protonmail.ch
glushkov@tutanota.de
igor.glushkov.83@mail.ru

In case we don't respond to an email within one day, download application called BitMessage and reach to us for the fastest response.
BitMessage BM-2cVPKqFb5ZRaMuYdryqxsMNxFMudibvnY6

########################################################

To someone from IT department

This is custom developed ransomware, decrypter won't be made by an antivirus company. This one doesn't even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It's written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups.

########################################################

  

Considering the targeted and more work-intensive nature of these campaigns, it makes sense that the ransom demand of $5,000 is higher than the average seen in large-volume ransomware campaigns. These attackers are clealry making a trade-off where they expect to score bigger paydays, even if it means netting fewer victims, overall.

What to do now

To protect themselves against Defray, companies should ensure their security programs are up-to-date and blocking the following hashes:

  • 947b360b76dd815f5b5d226b8a9aba22fe6b5589a3c16c765625ce2f9d1f5db2
  • 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4

Because it's trivial for attackers to make changes to Defray, however, companies also need to make sure their security solutions don't rely on signature-matching or file scanning alone. Find out how Barkly can automatically protect your company from any future Defray variants by blocking their behavior. 

Companies should instruct their employees to be on the lookout for any emails that appear to be out of the ordinary, even if it looks like they're being sent from someone internally. 

Considering the amount of personalization involved in making these attacks convincing, however, that makes relying on every single employee not to get fooled a risky proposition. Find out how Barkly can serve as the perfect employee safety net, blocking attacks even after someone clicks on something they shouldn't have. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks.svg

The Ransomware Survival Handbook

Learn how to recover quickly and effectively (and not get hit again)

Get my handbook

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.