A new strain of ransomware—dubbed Defray—has been found targeting a select group of industries, demanding $5,000 from infected victims.
Security researchers at Proofpoint, who discovered the strain, warned they’ve observed two “small and selective targeted attacks” distributing the ransomware this month.
According to Proofpoint’s analysis, one campaign aimed primarily at healthcare and education organizations, while the other targeted the manufacturing and technology verticals.
The malware is currently being spread through a Microsoft Word document containing an embedded executable – specifically, an OLE packager shell object, researchers said.
The campaigns consist of just several messages each, with highly customized lures to appeal to its intended set of potential victims. The emails are addressed to individuals or distribution lists, such as group@ and websupport@.
An August 15 campaign attempted to trick manufacturing and technology professionals into opening a “presentation” from a representative of a global UK-based aquarium.
Meanwhile, an August 22 campaign delivered a bogus email to healthcare and education organizations, containing a “patient report” from an alleged Director of Information Management & Technology at a hospital.
If the malware is successfully installed, a ransom note appears in several folders throughout the system, as well as the computer’s desktop. It orders victims to contact someone from IT and asks for a $5,000 payment in Bitcoin.
Several email addresses are also included in case victims would like to negotiate a lower payout or have any questions. The ransom note concludes:
“This is custom developed ransomware, decrypter won’t be made by an antivirus company. This one doesn’t even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It’s written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups.”
Due to its very small, targeted scale, researchers suspect Defray may not be for sale and used for the personal use of specific threat actors instead.