Ransomware campaigns are usually wide-flung affairs: the attackers send out as many malicious emails as possible and hope to hit a substantial number of targets. But more targeted campaigns are also becoming a trend.
Targeting different verticals
Take for example the latest ones spotted by Proofpoint researchers in August: one was primarily aimed at Healthcare and Education verticals, while the other targeted Manufacturing and Technology companies.
In both cases, the campaigns targeted UK and US organizations, and consisted of a few custom crafted emails, made to appeal to the intended set of potential victims and to carry a Word file booby-trapped with an embedded executable.
Healthcare orgs were hit with a file named “patient_report”, supposedly sent by the Director of Information Management & Technology at a UK hospital, while the emails aimed at Manufacturing and Technology verticals had “Order/Quote” in the subject line, and “presentation” as the booby-trapped Word file name.
Opening the file and double clicking the embedded executable resulted in the dropping of the ransomware on the target system.
The Defray ransomware
In the ransom note, the malware was not given a name. Proofpoint researchers named it Defray, based on the C&C server hostname.
If the attackers are to be believed, Defray “uses AES-256 for encrypting files, RSA-2048 fo storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity.”
The researchers are yet to investigate the specifics of the encryption routine, but apparently the malware effectively encrypts a wide variety of file types, but does not add specific file extensions to them.
“After encryption is complete, Defray may cause other general havoc on the system by disabling startup recovery and deleting volume shadow copies,” they pointed out.
“On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers. We have not observed the same behavior on Windows XP.”
The attackers are asking for quite a bit of money to restore the encrypted files: $5,000. They’ve also provided contact email addresses and a BitMessage account for the victims to contact them and ask questions or even negotiate.
It’s interesting to note that the healthcare-targeting campaign was spotted on August 22, and the NHS Lanarkshire – a Scottish health board that runs several hospitals in Monklands, Wishaw General and Hairmyres – had its operations partially crippled by a “cyber attack” that started on August 25.
All that is publicly known so far is that the disruption is the effect of malware, but not which one.
The researchers noted that it’s likely that Defray is not for sale, but is meant for the personal use of specific threat actors, meaning that small, targeted campaigns like these ones may be in our future.