This newly discovered ransomware strain is targeting healthcare, education, manufacturing and tech sectors in the US and UK, using customized spear phishing emails.
Defray is demanding a relatively high ransom amount – $5,000 in Bitcoin, and ironically the word defray means “to provide money to pay a portion of a cost or expense.”
The Defray ransomware infection vector is spear-phishing emails with malicious Microsoft Word document attachments, and the campaigns are as small as just a few messages each. The planning and sophistication of the attacks point to a highly-organized cybercrime gang.
“The ransom note follows a recent trend of fairly high ransom demands; in this case, $5000. However, the actors do provide email addresses so that victims can potentially negotiate a smaller ransom or ask questions, and even go so far as to recommend BitMessage as an alternative for receiving more timely responses. At the same time, they also recommend that organizations maintain offline backups to prevent future infections,” Proofpoint researchers said in a blog.
The Proofpoint researchers, further said that the bad guys using this strain were using official logos of hospitals and businesses to trick users into opening malware-laced email attachments. In one of the campaigns, they designed the phishing emails as if they came from a UK-based aquarium with international locations.
“Defray Ransomware is somewhat unusual in its use in small, targeted attacks. Although we are beginning to see a trend of more frequent targeting in ransomware attacks, it still remains less common than large-scale “spray and pray” campaigns,” Proofpoint researchers said. “It is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains. Instead, it appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely.”
[contentblock id=72 img=gcb.png]