Bitcoin Ransomware Education: Defray

A few industries are more prone to cyber attacks than others. Criminals are purposefully targeting the healthcare and education sectors as a way to improve their chances of scoring a big payday. According to Proofpoint researchers, the Defray ransomware family plays a large role in this new wave of attacks. Although there have only been two small attacks so far, there is plenty of reason to be concerned about what this ransomware family can achieve.

Defray Ransomware is a Big Problem

It was only a matter of time until cybercriminals started targeting the healthcare and education sectors again. We have seen various attacks against hospitals and schools over the past few years. Most of those ransomware distribution campaigns netted the criminals thousands of dollars, all of which was paid in Bitcoin. It now appears the criminals are back with a new tool, identified as Defray ransomware. It is quite a problematic development, even though there have only been two very small campaigns involving this malware so far.

The name “Defray” was not chosen randomly by researchers either. Though developers may have given it a different name, researchers refer to this family as Defray due to the name of the command & control server being used to communicate with the malware. This server appears to reside on the 000WebHostApp domain for the time being, although it may very well be taken down in the coming weeks. A centralized server makes it a bit easier for security researchers to combat ransomware outbreaks, even though it remains a tedious process.

So far, the distribution of this particular payload shows some intriguing and worrisome characteristics. First of all, it is distributed through Microsoft Word documents sent out through email campaigns, which is not surprising. However, we are not talking about massive waves of spam emails, but rather controlled amounts of messages. Recipients reside in the UK and the U.S. for the most part, which is pretty significant. It goes to show the developers are putting a lot of work into distributing the ransomware to their intended targets rather than going after consumers worldwide.

Once a victim downloads and executes a Microsoft Word attachment, the malware payload will be installed on the system. The victims will see a file called FILES.TXT in virtually every folder on their computer systems, which contains information on how they can restore file access. It appears victims are asked to get in touch with the criminals via email using one of three different email addresses. There is also an option to communicate through the BitMessage application if needed.

Right now, victims are asked to make a ransom payment of US$5,000 in Bitcoin. Given the current Bitcoin price, that means they will pay slightly over 1.15 BTC. Although the Bitcoin amount itself is pretty low, a US$5,000 payment is still quite substantial for any affected company. It may be possible to negotiate a smaller amount depending on how the communication with the criminals evolves. Interestingly, the ransom note also mentions how the infected victims should maintain offline backups of their files to prevent future attacks of this magnitude. This does feel like salt in the wound for victims. 

The Defray ransomware is a professionally developed ransomware strain. It is unclear if it uses any source code from other projects which have made a name in the past. The ransom note claims that this payload is custom-tailored to infect one’s particular system, which would make it incredibly difficult to come up with a free decryption tool. It is far less obnoxious compared to most malware attacks, which also makes it a much bigger threat for enterprises and companies in specific industries. It will be interesting to see if this malware is successful in the long run, though.