Cylance vs. Defray Ransomware

Background

Defray is a very highly targeted ransomware attack that may have gone relatively unnoticed with other big-name attacks happening around the world.

Defray is sophisticated, not only in its malicious capabilities, but also in its extremely focused phishing and social engineering campaigns that our Threat Guidance Team observed.

Watch CylancePROTECT® in action against Defray Ransomware:

VIDEO: CylancePROTECT vs. Defray

Specifically attacking targets in the Healthcare industry, Defray includes very detailed information in the weaponized Word document to trick the victim into launching its payload. The document contains thoroughly researched information intended to create an attack that looks very legitimate.

In addition, this weaponized document was designed to circumvent internal security education efforts by never showing an “Enable Macro” button. Instead, a YouTube play icon is placed in the middle of the document in an attempt to coax the user into clicking on it to see the content (See below).

Figure 1:  The Weaponized Word Document With the “YouTube-Style” Malware Execution Button 

Once the victim has been tricked into launching the malware, the results are quite damaging and very expensive; the ransom request is $5000 per user successfully phished.

With typically very large employee counts for both Healthcare and Education industries, $5000 per victim, adds up very quickly.

Why is Defray Ransomware an Important Issue and Why Should I be Concerned?

The sophistication behind the phishing attack Defray uses is most concerning. The malware strives to learn as much as possible about the target in order to provide them enough reassurance so they won’t be suspicious of the document being emailed to them.

In normal phishing types of campaigns, we commonly see customized emails trying to get users to open the attachment; however, in this case not only is the email customized, but also the attachment. The name, (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog