Defray Malware: A new ransomeware

Defray, a new, although small strain of ransomware, and reported as malware, was spotted by researchers targeting companies in the education and healthcare verticals.

Researchers with Proofpoint, who spotted two attacks dropping the ransomware – one on Aug. 15, one on Aug. 22, say that while uncommon, the malware may not be destined for large-scale attacks.

Researchers took the name of the malware from the name of its command and control server hostname: defrayable-listings[.]000webhostapp[.]com

In one campaign the Word document purported to come from a UK-based hospital’s Director of Information Management and Technology. In the other, the Word doc billed itself as coming from a UK-based aquarium with international locations – likely SEA LIFE, an aquarium with locations in Birmingham, Brighton, and Manchester, with additional locations in the U.S., Australia, and China.

In both situations the malware came in an embedded executable, an OLE packager shell object. If a user double clicks through, the ransomware, disguised as taskmgr.exe or explorer.exe, is dropped and installed.

The attacker asks for $5,000 in ransom notes dropped throughout the victim’s machine but as the researchers point out, several email addresses, presumably of the cybercriminal – Igor Glushkov – are included so the victims can either “negotiate a smaller ransom or ask questions.”

Please go to source below if you need more information.

Source: Defray Ransomware Seen Targeting Education, Healthcare Industry | Threatpost | The first stop for security news

Mohamad El Hout, MBA, M.Eng., CISSP

Mohamad is an entrepreneur and a Senior Security Consultant dealing with the design and delivery of standard and complex security gateway solutions, covering a wide range of cutting edge technologies. His interests include business, technology, leadership, sports, and the continuous pursuit of knowledge.

Leave a Reply

%d bloggers like this: