Researchers observed a new, albeit small and selective ransomware campaign earlier this month targeting both education and healthcare verticals. The ransomware, dubbed Defray, comes hidden in rigged Microsoft Word document attachments, sent via email.

Researchers with Proofpoint, who spotted two attacks dropping the ransomware – one on Aug. 15, one on Aug. 22, say that while uncommon, the malware may not be destined for large-scale attacks.

Researchers took the name of the malware from the name of its command and control server hostname: defrayable-listings[.]000webhostapp[.]com

In one campaign the Word document purported to come from a UK-based hospital’s Director of Information Management and Technology. In the other, the Word doc billed itself as coming from a UK-based aquarium with international locations – likely SEA LIFE, an aquarium with locations in Birmingham, Brighton, and Manchester, with additional locations in the U.S., Australia, and China.

In both situations the malware came in an embedded executable, an OLE packager shell object. If a user double clicks through, the ransomware, disguised as taskmgr.exe or explorer.exe, is dropped and installed.

The attacker asks for $5,000 in ransom notes dropped throughout the victim’s machine but as the researchers point out, several email addresses, presumably of the cybercriminal – Igor Glushkov – are included so the victims can either “negotiate a smaller ransom or ask questions.”

Researchers said they didn’t get into the specifics of the encryption routine but noticed it encrypts a hardcoded list of file types but doesn’t change the file extension names. Concerning, researchers say, is the fact the ransomware can be quite meddlesome after its finished encrypted files. On Windows 7 Defray will keep track of running programs, like the task manager or any browsers open, and kill them with a GUI. Researchers said they saw the ransomware disable startup recovery and delete any volume shadow copies, something that could draw the ire of admins as well.

Because only two targeted attacks were identified, researchers posit the ransomware may not be for sale and instead could be being used privately, either as a licensed entity or as a service. For that reason it’s less likely Defray will propagate on a larger scale, although it could continue to be used in limited, targeted attacks, researchers suggest.

Researchers at Black Hat last month debuted an add-on Windows driver and filesystem that could eventually help users thwart ransomware attacks like Defray. The tool, ShieldFS, devised by Italian researchers, detected more than a dozen ransomware strains 97 percent of the time. While not yet available to the general public, ShieldFS blocks malware when it’s detected. A separate feature meanwhile allows original files stored on a hard drive to be preserved and recovered later on.

Categories: Malware