Defray is a very highly targeted ransomware attack that may have gone relatively unnoticed with other big-name attacks happening around the world.
Defray is sophisticated, not only in its malicious capabilities, but also in its extremely focused phishing and social engineering campaigns that our Threat Guidance Team observed.
Watch CylancePROTECT® in action against Defray Ransomware:
VIDEO: CylancePROTECT vs. Defray
Specifically attacking targets in the Healthcare industry, Defray includes very detailed information in the weaponized Word document to trick the victim into launching its payload. The document contains thoroughly researched information intended to create an attack that looks very legitimate.
In addition, this weaponized document was designed to circumvent internal security education efforts by never showing an “Enable Macro” button. Instead, a YouTube play icon is placed in the middle of the document in an attempt to coax the user into clicking on it to see the content (See below).
Figure 1: The Weaponized Word Document With the "YouTube-Style" Malware Execution Button
Once the victim has been tricked into launching the malware, the results are quite damaging and very expensive; the ransom request is $5000 per user successfully phished.
With typically very large employee counts for both Healthcare and Education industries, $5000 per victim, adds up very quickly.
The sophistication behind the phishing attack Defray uses is most concerning. The malware strives to learn as much as possible about the target in order to provide them enough reassurance so they won’t be suspicious of the document being emailed to them.
In normal phishing types of campaigns, we commonly see customized emails trying to get users to open the attachment; however, in this case not only is the email customized, but also the attachment. The name, job title, and organization details included in the document are all legitimate in an effort to make the victim feel like this is a document they should be expecting to receive. (See figure above. In the document, the victim’s full name and title are used as a footer to add a sense of legitimacy).
While it may be odd to see a YouTube play button in a Word document, the other details are in place to reassure the victim that it came from a legitimate source.
In the case of Defray, the executable payload is not a macro script, but rather simply built as an OLE attachment. This circumvents employee training done to educate on document macros – in this case, there is no warning for the victim.
Once the user clicks on the YouTube play icon, the malware is executed. Of course, there is a warning that pops up saying that “explorer.exe” is attempting to run (read our technical blog for a full breakdown on this and to see what the victim sees, as well as what’s happening in the backend).
The warning itself looks like normal behavior, especially if the user is viewing some sort of external information that was linked to in the document and is used to seeing these types of warning dialog boxes.
After the user clicks Run, the malware begins its destruction.
First, it deletes all the Windows restore points and restricts the ability for the user to run Task Manager. After a ransomware attack like this, a user may try to repair their system via the last known good restore point. By deleting the restore points, the user will be unable to accomplish local restoration. In addition, all locally stored backup catalogs are removed if the user was using Windows Backup – making online backups unavailable.
The malware also instructs the system to ignore boot failures on future boots and disables automatic repair efforts. The malware modifies the system configuration to ensure that the computer will not standby or sleep whether on battery or not to ensure that malware has enough time to complete all of its tasks.
These steps are in place to make sure that the user can get back into the system and see that they are still ransomed.
Now that the end user can’t affect any sort of recovery on their own, they will quickly realize that they are in over their head and likely reach out to security and IT. Because of this action, the malware takes many additional steps to make incident response extremely difficult.
All of the local event logs are wiped, even going as far as wiping the journal logging which monitors file creation, deletion, modification, etc.
In the end, the victim’s files are encrypted and text files containing the ransom note are created. The ransom note is written in an almost friendly tone, asking the victim to contact IT and suggesting that questions and negotiation for a lower price may be possible. Provided are two encrypted email sources, a mail.ru address, and a BitMessage identity for "fastest response."
The message to IT spells out the specific algorithms used and claims the development is advanced enough to deter local decryption attempts. It ends with a “helpful” suggestion to use offline backups in the future.
In the case of the Defray ransomware, we saw a different introduction vector; however, whether malware is introduced to the system by another program, service, or even by a user, CylancePROTECT’s patented pre-execution engine prevents the infection of your computer by not allowing the malware to execute.
CylancePROTECT with Optics™ gives unprecedented visibility into attacks, reveals hard-to-find threats, and provides simply focused root cause analysis.