![]() ![]() exe encrypted that were not on this list). The ransomware contains a hardcoded list of file extensions, shown below, for files that it will encrypt (although we observed others such as. At the same time, they also recommend that organizations maintain offline backups to prevent future infections. ![]() However, the actors do provide email addresses so that victims can potentially negotiate a smaller ransom or ask questions, and even go so far as to recommend BitMessage as an alternative for receiving more timely responses. The ransom note shown in Figure 3 follows a recent trend of fairly high ransom demands in this case, $5000. HELP.txt, with identical content to FILES.txt, also appeared on the Desktop folder where we executed the ransomware. To alert the victim that their computer has been infected and that their files are encrypted, this ransomware creates FILES.TXT (Figure 3) in many folders throughout the system. If the potential victim double clicks on the embedded executable, the ransomware is dropped with a name such as taskmgr.exe or explorer.exe in the %TMP% folder and executed. In the August 15 campaign, the attachment used a lure referencing a UK-based aquarium with international locations (Figure 2), and purported to be from a representative of the aquarium.įigure 2: Word document attachment, presentation.doc, delivered in malicious email messages This was similar to a campaign observed by Proofpoint researchers on August 15 targeting Manufacturing and Technology verticals and involving messages with the subject “Order/Quote” and a Microsoft Word document containing an embedded executable (also an OLE packager shell object). In the screenshot shown in Figure 1, the attachment uses a UK hospital logo in the upper right (not shown) and purports to be from the Director of Information Management & Technology at the hospital.įigure 1: The Word document, patient_report.doc, delivered in malicious email messages On August 22, Proofpoint researchers detected an email campaign targeted primarily at Healthcare and Education involving messages with a Microsoft Word document containing an embedded executable (specifically, an OLE packager shell object). Vertical targeting varies by campaign and is narrow and selective.The recipients are individuals or distribution lists, e.g., and Geographic targeting is in the UK and US.The lures are custom crafted to appeal to the intended set of potential victims.The campaigns are as small as several messages each. ![]() ![]() Defray is currently being spread via Microsoft Word document attachments in email.The distribution of Defray malware has several notable characteristics: We selected the name “Defray” based on the command and control (C&C) server hostname from the first observed attack:ĭefrayable-listings000webhostappcomĬoincidentally, the verb defray means to provide money to pay a portion of a cost or expense, although what victims are defraying in this case is unclear. One was primarily aimed at Healthcare and Education verticals another targeted Manufacturing and Technology verticals. So far in August, we have observed only two small and selectively targeted attacks distributing this ransomware. Proofpoint threat researchers recently analyzed Defray Ransomware, a previously undocumented ransomware strain. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |