A New Emerging Ransomware Attack called “Defray” Distributing through Microsoft Word Document and send it through Phishing Email Campaign.
According to this Defray Ransomware functionality and communication, potentially targeting Healthcare and Education industries.
Defray Ransomware mainly Targeting geographic location is UK and US where it can target Manufacturing and Technology industries as well.
Defray Name selected and Named by proofpoint based on the Ransomware variant C&C Server communication “defrayable-listings[.]000webhostapp[.]com” hostname .
The verb “defray” means to provide money to pay a portion of a cost or expense, although what victims are defraying in this case is unclear.
Defray Ransomware Attack spreading Functionality
Initially, Victim Receiving An Email that contains an attached Malicious Word Document with Embedded Executable specifically an OLE package shell object.
Malicious Word Document looks like a Patents Medical report that belongs to UK hospital logo which came from the Director of Information Management & Technology at the hospital.
Malicious Embedded Word Document
Later, It forced to Victim to Double click on the Executable to initiate the Process.
Once Victims Double Click the Embedded Executable, as usual, the ransomware is dropped with a name such as taskmgr.exe or explorer.exe in the %TMP% folder and executed.
It will Alert the to Victims that your files are encrypted After its successful execution of the ransomware.
Defray Ransomware notes
This ransomware creates FILES.TXT (Figure 3) in many folders throughout the system. HELP.txt, with identical content to FILES.txt, also appeared on the Desktop folder where we executed the ransomware.
According to Ransomware notes, Attacker Demand $5000 to recover the files as a Bitcoin Digital Currency.
The attacker also provides an Email ID for Any further questions, Doubts, negotiation for the Recovery Process.
Defray can able to encrypt following file Extensions.
.001 | .3ds | .7zip | .MDF | .NRG | .PBF | .SQLITE | .SQLITE2 | .SQLITE3 | .SQLITEDB | .SVG | .UIF | .WMF | .abr | .accdb | .afi | .arw | .asm | .bkf | .c4d | .cab | .cbm | .cbu | .class | .cls | .cpp | .cr2 | .crw | .csh | .csv | .dat | .dbx | .dcr | .dgn | .djvu | .dng | .doc | .docm | .docx | .dwfx | .dwg | .dxf | .fla | .fpx | .gdb | .gho | .ghs | .hdd | .html | .iso | .iv2i | .java | .key | .lcf | .matlab | .max | .mdb | .mdi | .mrbak | .mrimg | .mrw | .nef | .odg | .ofx | .orf | .ova | .ovf | .pbd | .pcd | .pdf | .php | .pps | .ppsx | .ppt | .pptx | .pqi | .prn | .psb | .psd | .pst | .ptx | .pvm | .pzl | .qfx | .qif | .r00 | .raf | .rar | .raw | .reg | .rw2 | .s3db | .skp | .spf | .spi | .sql | .sqlite-journal | .stl | .sup | .swift | .tib | .txf | .u3d | .v2i | .vcd | .vcf | .vdi | .vhd | .vmdk | .vmem | .vmwarevm | .vmx | .vsdx | .wallet | .win | .xls | .xlsm | .xlsx | .zip
“Defray has been observed communicating with an external C&C server via both HTTP and HTTPS, to which it will report infection information.”
Finally, Defray Encrypt the files and disabling startup recovery and deleting volume shadow copies.