A unique variant of ransomware that appears to have been designed for and used against health care companies was recently uncovered by a researcher at cybersecurity firm Proofpoint.
While most ransomware is sent out in waves to as many people as possible, Proofpoint’s findings instead show that a hacker is carefully developing specially tailored ransomware attacks for hospitals and doctor’s offices. The company has labeled the malware Defray.
“At this point, all attacks into which we have visibility have been targeted,” said Kevin Epstein, vice president of threat operations at Proofpoint. “It appears that this ransomware is not for sale, suggesting that it is a personal project.”
Proofpoint found only two samples of the Defray ransomware in August. Those samples, however, are likely just a subsegment of all incidents involving this computer virus.
Defray has been spread through a small email phishing campaign. The emails contain booby-trapped Microsoft Word documents with embedded executables. When opened, the Defray-laden attachments call back to the attacker’s command and control (C&C) server, which then sends a ransomware payload to the victim’s computer. In the known incidents, these attachments were titled “patient_report.doc” or “presentation.doc.”
“Of the two campaigns we observed, health care was the top target, followed by education, technology, and manufacturing,” Epstein said.
The ransomware was named Defray because the hacker’s C&C server hostname is “defrayable-listings[.]000webhostapp[.]com.”
In most cases, when ransomware infects a computer it encrypts files, making them inaccessible to the victim. The scheme usually focuses on compelling a payment from the victim in exchange for an unlocked system. Defray works in the same fashion.
“To alert the victim that their computer has been infected and that their files are encrypted, this ransomware creates FILES.TXT (Figure 3) in many folders throughout the system,” a blog post by Proofpoint reads.
After a computer is successfully infected, Defray will cause a prompt to appear that asks for $5,000 worth of anonymous currency. The figure is high in comparison to other ransomware variants, but it may be only a starting point for negotiations. The message also contains contact information for the hacker to communicate with prospective victims.
“Defray Ransomware is somewhat unusual in its use in small, targeted attacks,” according to Proofpoint. “Although we are beginning to see a trend of more frequent targeting in ransomware attacks, it still remains less common than large-scale ‘spray and pray’ campaigns.”