Defray Ransomware demands $5,000, then suggests victims backup their data
Defray Ransomware demands $5,000, then suggests victims backup their data

A just-documented ransomware strain called Defray is making some minor inroads by targeting firms in the healthcare, education, manufacturing and technology fields, that contains a ransom note that taunts the victim's IT department.

Defray first appeared on August 15, according to a Proofpoint report, and while it has only been used in a few attacks the ransomware has several interesting characteristics, such as being highly targeted with the attacker using a sophisticated social engineering plan to lure in its victims. The first attacks used a malicious Microsoft Word document containing an embedded OLE packager shell object with the lure being that the email was from the hospital's IT director. Another series of attacks that targeted the manufacturing and technology sectors represented themselves as being a buyer from a UK-based aquarium looking for an “order/quote”. In each case the social engineering included using the proper logos and letterhead.

Once infected a ransom note appears demanding a $5,000 payment, but it also contains a great deal of extraneous information. The note suggests that the victim use the included email address to try and negotiate a better deal and suggests that the hacker could be so busy that they can't check their email address regularly.

“In case we don't respond to an email within one day, download an application called BitMessage and reach to us for the fastest response,” the note says.

The ransom note also has a message for the IT people likely to be tasked with dealing with the attack. In it the attackers claim a decrypter cannot be made for the ransomware and notes the different levels of encryption that are used. The ransomware developers are also quite proud of their work, stating it is written in C++ and has passed several quality control tests.

But the final line gives some useful, if most likely unwanted advice, of using offline backup for their systems to prevent this from happening in the future.