Defray, a new, although small strain of ransomware, and reported as malware, was spotted by researchers targeting companies in the education and healthcare verticals.
Researchers with Proofpoint, who spotted two attacks dropping the ransomware – one on Aug. 15, one on Aug. 22, say that while uncommon, the malware may not be destined for large-scale attacks.
Researchers took the name of the malware from the name of its command and control server hostname: defrayable-listings[.]000webhostapp[.]com
In one campaign the Word document purported to come from a UK-based hospital’s Director of Information Management and Technology. In the other, the Word doc billed itself as coming from a UK-based aquarium with international locations – likely SEA LIFE, an aquarium with locations in Birmingham, Brighton, and Manchester, with additional locations in the U.S., Australia, and China.
In both situations the malware came in an embedded executable, an OLE packager shell object. If a user double clicks through, the ransomware, disguised as taskmgr.exe or explorer.exe, is dropped and installed.
The attacker asks for $5,000 in ransom notes dropped throughout the victim’s machine but as the researchers point out, several email addresses, presumably of the cybercriminal – Igor Glushkov – are included so the victims can either “negotiate a smaller ransom or ask questions.”
Please go to source below if you need more information.