“A single spear-phishing email carrying a slightly altered malware can bypass multi-million-dollar enterprise security solutions if an adversary deceives a cyber-hygienically apathetic employee into opening the attachment or clicking a malicious link and thereby compromising the entire network.”
James Scott, Senior Fellow, Institute for Critical Infrastructure Technology
Last week, a Ransomware called Defray targeting a selected group of elite organizations demanding $5,000 upon infection. It is a file encoder Trojan written in C++ which uses advanced cryptographic algorithm.
The name Defray is based on the command-and-control server host in the first traced attack: ‘defrayable-listings’.
It is also known by another name Glushkov Ransomware. The name might be used as a reference to ‘[email protected],’ ‘glushkov®tutanota.de,’ and ‘[email protected]’ e mail accounts that are used to spread the threat and used to contact the hacker.
It was distributing two small and selective attacks and is recognized as great crypto threat. the threat is being likened to the Petya and WannaCry strains.
According to reports, the threat is targeting mostly hospitals and educational institutions network and encrypting data.
The first attacks were aimed at healthcare and education organization, while the other targeted manufacturing and technology institutions.
How is it Spreading?
Img src: gbhackers
The installer used to spread the malware is using a Word document which contains an embedded executable video clip (O LE packager shell object).
When the recipient tries to play the embedded video, which is an image, Defray Ransomware gets installed and is activated. After installation, it starts encrypting data and then displays a ransom note, declaring that to regain access you must pay ransom.
Phishing emails and targeted spear phishing emails are used to attract office employees and they are then forced to read the infected document. Emails are addressed to individuals or groups and it consists of messages specially designed to lure the targets.
First time the campaign took place on Aug 15 targeting manufacturing and technology professionals. In continuation on Aug 22, another campaign was launched and fake mails were send to healthcare and educational organizations. This email contained patient report from a supposed Director of Information Management and Technology at a hospital.
Img src: Proofpoint
These bogus emails give open invitation to the malware and it gets installed on machines. It’s like welcoming a Vampire into your house and then allowing him to have your blood.
Must Read: Do’s and Don’ts When Dealing with Ransomware
After all this a ransom note appears on your desktop, the victim is asked to pay $5,000 in form of Bitcoins.
The ransom note can be found in under two files named ‘Files.TXT’ and ‘HELP.TXXR’ and it concludes:
“This is custom developed ransomware, decrypter won’t be made by an antivirus company. This one doesn’t even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It’s written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups.”
Defray Ransomware encrypt files with the following extensions:
.001, .3ds, .7zip, .MDF, .NRG, .PBF, .SQLITE, .SQLITE2, .SQLITE3, .SQLITEDB, .SVG, .UIF, .WMF, .abr, .accdb, .afi, .arw, .asm, .bkf, .c4d, .cab, .cbm, .cbu, .class, .cls, .cpp, .cr2, .crw, .csh, .csv, .dat, .dbx, .dcr, .dgn, .djvu, .dng, .doc, .docm, .docx, .dwfx, .dwg, .dxf, .exe, .fla, .fpx, .gdb, .gho, .ghs, .hdd, .html, .iso, .iv2i, .java, .key, .lcf, .lnk, .matlab, .max, .mdb, .mdi, .mrbak, .mrimg, .mrw, .nef, .odg, .ofx, .orf, .ova, .ovf, .pbd, .pcd, .pdf, .php, .pps, .ppsx, .ppt, .pptx, .pqi, .prn, .psb, .psd, .pst, .ptx, .pvm, .pzl, .qfx, .qif, .r00, .raf, .rar, .raw, .reg, .rw2, .s3db, .skp, .spf, .spi, .sql, .sqlite-journal, .stl, .sup, .swift, .tib, .txf, .u3d, .v2i, .vcd, .vcf, .vdi, .vhd, .vmdk, .vmem, .vmwarevm, .vmx, .vsdx, .wallet, .win, .xls, .xlsm, .xlsx, .zip.
Next Read: Locky Ransomware ‘Back from the Dead’
All these ransomware attacks are an alarm to stay protected and aware. We should avoid opening emails received from anonymous sources and ones which we are not sure. We should not open all attachments that we receive in an e mail. Also from security point of view an updated anti-virus should be installed on your machine.