Defray Attacks Highlight Trends in Ransomware Campaigns

Written by

In August, California based cyber researchers reported on a series of ransomware attacks executed with a previously unidentified strain of malicious software. The virus, called ‘Defray’ by its criminal coders, is a customized ransomware program that encrypts all files contained on a victim’s hard drive upon download and execution. 

Two distinct, highly targeted campaigns were detected, affecting groups in both the UK and the United States. The first was aimed primarily at healthcare and education organizations. The second targeted manufacturing and technology companies. 

The characteristics of the attacks were all largely the same. Attackers designed custom phishing emails to target workers within the various organizations. For instance, employees in UK hospitals were sent messages containing titles such as ‘patient reports’, while workers at a British aquarium received emails containing graphics with images of marine wildlife. 

All emails contained Word documents containing the virus that recipients were asked to download in the email text. Victims that did open the malicious files then received a pop-up message on their desktop informing them that their files had been encrypted.

The message explained that the key to the encryption would be delivered in exchange for a bitcoin ransom, in some cases as high as $5000. The messages concluded by offering email addresses through which to contact the criminals in order to pay or ‘negotiate’. 

We’ve Seen this Before
The recent Defray campaigns mirror the WannaCry attacks from last May, which was one of the largest cyber-attacks in history and certainly one of, if not the, largest ransomware campaign ever. During the attacks, which affected over 200,000 servers worldwide, critical infrastructure was the target of choice for hackers. 

It’s an Effective Strategy
There are two reasons why a hacker would target large public service organizations. First, is the leverage factor. Criminals know that they can solicit larger ransoms from institutions that are providing often vital facilities to the public.

Second is vulnerability. Security protocols including program patches and basic system updates are often overlooked in the massive bureaucratic managing of these institutions. Indeed, in the WannaCry epidemic, forensics undertaken by a Russian based firm revealed that nearly all of the victimized computers were running unsupported versions of the Windows operating system. No doubt that the perpetrators of the recent Defray attacks took a que from the success of WannaCry. 

These latest Defray attacks highlight the profile of the organization most at risk for being targeted with ransomware: namely institutions that provide a public service or other vital commodity. 

These attacks also underscore the need for these institutions to prepare for the possibility of attack and set up contingencies by backing up vital data on external databases. Educating employees of these institutions on how to detect phishing attempts and on best practices regarding safe file download will also help defend against the next concerted ransomware campaign.

What’s hot on Infosecurity Magazine?