Image: Proofpoint
A newly discovered form of ransomware is targeting organisations with tailored phishing emails, demanding a huge ransom from unfortunate victims.
The ransomware has been dubbed 'Defray' by researchers at Proofpoint who uncovered it. The name is based on that of the command-and-control server host-name in the first observed attack -- 'defrayable-listings'.
It's an appropriate name for this new ransomware strain, because to 'defray' means to provide money to pay a cost or expense, and the malware demands $5,000 to be paid in Bitcoin in exchange for decrypting the files. This is a much higher fee than is charged by most forms of ransomware.
The campaign is primarily targeting healthcare and education organisations in the US and UK. However, attacks have been seen in the manufacturing and technology sectors; other types of organisations -- including an aquarium -- have also been affected.
Like many ransomware attacks, the campaign uses phishing emails with a Microsoft Word attachment in order to distribute the malicious payload. But rather than using mass spamming, like other forms of ransomware, those behind Defray are customising messages for specific targets, with some campaigns consisting of only a handful of emails.
One particular campaign targeting an unnamed hospital purported to be from the Director of Information Management & Technology, and attempted to distribute ransomware via an infected Word file claiming to contain patient reports -- complete with the hospital's logo in the document.
Image: Proofpoint
Attackers used similar tactics in an effort to infect targets in the manufacturing and technology sectors, sending emails supposedly containing quotes about a deal, with the malicious executable once again in a Word document.
Those behind Defray even specifically customised a campaign to target a UK-based aquarium, with a lure purporting to be from a representative at one of its international locations.
Image: Proofpoint
These examples show that the attackers are putting time and effort into preparing their nefarious schemes, indicating that Defray is the work of a highly organised cyber criminal operation.
See also: Ransomware: An executive guide to one of the biggest menaces on the web
It's unclear whether any of the targeted organisations actually became infected with Defray, but the ransomware will deploy and execute if the victim double-clicks on the executable file within the Word document. The victim's files are then encrypted and a ransom note is presented.
The note tells the victim to "read this and contact someone from the IT department" and details what ransomware is and what has happened. The section of the note designed to be read by IT professionals also claims that the ransomware uses AES-256 crytography and that there's no way of getting files back without paying the $5,000 ransom.
Impudently, the note also recommends the victim to use offline back ups to "prevent this next time".
To pay the ransom, the victim is asked to contact one of three email addresses -- one Swiss, one Russian, or one German -- or to contact the attackers via BitMessage "in case we don't respond within one day".
In addition to holding files hostage, researchers warn that Defray can also disable startup recovery and delete shadow copies of files. On Windows 7 the ransomware also monitors and kills running programs with a GUI, such as the task manager and browsers, although this behaviour isn't replicated on Windows XP.
It's not known who is behind Defray, but researchers note the group probably aren't interested in selling on the ransomware.
"Instead, it appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely," researchers said.
In the aftermath the global spread of WannaCry ransomware, and the subsequent Petya outbreak, cyber criminals appear to be putting a lot of effort into developing particularly vicious strains of ransomware.
Researchers recently uncovered a new strain of Spora ransomware which in addition to extorting a ransom from victims, also steals their credentials.
READ MORE ON CYBER CRIME
from Latest Topic for ZDNet in... http://ift.tt/2w48WMf
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.