New sophisticated ransomware carries a high price tag

Payments associated with a new ransomware attack are larger than those linked to past variants of malware that have held computers and data captive.

Data threat researchers at security vendor Proofpoint have analyzed new ransomware they call “Defray” that so far has been used to selectively target a small number of healthcare, education, manufacturing and technology businesses. The name for this virus comes from the server host name in the first attack: defrayable-listings[.]000webhostapp[.]com

The malware is spread by Microsoft Word document attachments in emails; lures are customized to make it appeal to an intended set of victims with targets being individuals or distribution lists such as websupport@.

The ransomware, delivered through a phishing attack where an employee clicks on an email believed to be legitimate, is targeted toward specific individuals. In the healthcare industry, this could easily happen if an individual receives an email about a patient referral, says Patrick Wheeler, director of threat intelligence at Proofpoint. The targeted individual opens the email and an attachment, which then runs a script that installs malware.


Following encryption, Defray also can disable startup recovery and delete volume shadow copies, as well as killing running programs with a GUI such as the task manager and browsers for Windows 7 machines. Attacks are targeted in the United States and United Kingdom.

The ransom is $5,000 to be paid in bitcoin. All personal and business documents, backups and projects are encrypted by the malware.

So far, these attacks are small in scale and limited to probably less than 20 healthcare organizations, Wheeler says. But the ransom is considerably higher than normal. The more targeted an attack is, the higher the cost can be. A $5,000 ransom is definitely on the high side and affects the ability of some victims to pay it, Wheeler adds, but the sophistication of the ransomware also has a large impact on an organization’s ability to mitigate the attack, which could increase odds of organizations simply paying the ransom.

Also See: Backup routines crucial to disaster hack rebound

Defray likely is not for sale, Proofpoint researchers believe, and appears to be for personal use of specific threat actors, “making its continued distribution in small, targeted attacks more likely.”

In messages sent to organizations, the ransomers are gentler than most others. The ransom note beings with, “Don’t panic, read this and contact someone from IT department.” Recipients also are told to “write us” if they have questions, doubts, want to negotiate or want to make sure that they can get their files back, with three email addresses included.

Those distributing the ransomware further add a specific message to the information technology department that also offers advice to avoid being hit again. “This is custom developed ransomware; a decrypter won’t be made by an antivirus company. This one doesn’t even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It’s written in C++ and has passed many quality assurance tests. To prevent this next time, use offline backups.”

For reprint and licensing requests for this article, click here.