Threat Spotlight: Defray Ransomware Hits Healthcare and Education

Defray is a sophisticated, high-price ransomware attack aimed at very specific victims in the Healthcare and Education sectors.


One could be forgiven for having not heard of Defray in recent news. With the worlds’ attention on WannaCry, Petya/Not-Petya/Petya-Like, and the return of Locky and Globe Imposter, the focus has been squarely on widespread chaos campaigns. The focus of these large attacks is garnering headlines and making money.

Defray differentiates itself by moving on specific targets in the healthcare industry, and doing so in such a way that data destruction may be its most important goal. Especially in healthcare, there is a need to be ever vigilant, as things like patient records, monitoring machines, and ultimately entire hospital operations could be affected.

We’re seeing more targeted attacks aimed at certain industries, and we expect this trend to continue in the years to come.

Tech Analysis

The community was made aware of the ransomware termed Defray when our colleagues over at Proofpoint published an article on it.

In our analysis, we will discuss the Word document sample      71089d862e3bb4c3a351252fcd6d9018866c265707508ed397f3efcdf3702723. This sample drops an executable file with hash 08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4

This infection document is tailor-made to act as a kind of sophisticated phishing attack. In this type of social engineering, the goal is to know ones’ target well enough as to provide them with reassurance so that they are never suspicious as to the source.

Defrays’ author has even gone so far as to do extensive research of the fake document origination organization. The name, job title, and organization details included in the document are all legitimate in an effort to make the victim feel like this is a document they should be expecting to receive.

Figure 1: Infection Document

The YouTube-style play button may seem out of place, but the other (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog