carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Article · Sep 6, 2017

Defray ransomware targets healthcare and manufacturing sectors

Defray ransomware targets healthcare and manufacturing sectors

Color illustration of laptop screen showing a security warning.

A newly-discovered ransomware virus known as "Defray" is seeking to maximize attackers' profits by going after specific industry verticals.

The cybercriminals responsible for distributing Defray ransomware have used customized email  messages and infected attachments to target users in the healthcare and manufacturing sectors, according to researchers at Proofpoint, a cybersecurity software company.

"On August 22, Proofpoint researchers detected an email campaign targeted primarily at healthcare and education involving messages with a Microsoft Word document containing an embedded executable," Proofpoint wrote in a blog post. "If the potential victim double clicks on the embedded executable, the ransomware is dropped with a name such as taskmgr.exe or explorer.exe in the TMP folder and executed."

The phony emails instruct recipients to double click what appears to be a video. When the user clicks, the ransomware attack begins.

Defray uses a hardcoded list of file extensions to determine which of the victim's files to encrypt. The ransomware then displays a ransom note demanding $5,000 from victims. Those affected by the ransomware can contact the attackers via a provided email address to ask questions or attempt to negotiate a smaller ransom payment. But there's no guarantee the perpetrators will feel compassion for the victim. And even if attackers do agree to lower their demands, Defray could still cause other problems.

"After encryption is complete, Defray may cause other general havoc on the system by disabling startup recovery and deleting volume shadow copies," Proofpoint explained on their website. "On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers. We have not observed the same behavior on Windows XP."

Are small-scale ransomware attacks the future?
The tactic of using customized email messages and small-scale attacks to target specific verticals may be a sign of things to come, according to Kevin Epstein, vice president of the Threat Operations Center at Proofpoint.

"Ransomware is about return on investment: making money at minimal cost," Epstein told ZDNet. "Attackers have found that highly customized messages offer better financial return on their campaigns—something marketers have been using for decades to improve response rates."

Businesses and individuals can prevent a ransomware infection by using anti-virus software, applying the latest security patches to IT systems, and avoiding questionable emails, links and attachments. It's also important to back up your computers and servers in case all else fails.

For more news and information on the battle against ransomware, visit the homepage today.


David Bisson

David Bisson is an infosec news junkie and security journalist. He currently works as Contributing Editor for Graham Cluley Security News, Associate Editor for Tripwire's "The State of Security" blog, and Contributing Author to Metacompliance Ltd. and OASIS Open. David hopes his writing will help protect users against online threats, especially ransomware.

Related content