Light Dark
August 31, 2017 By Larry Loeb 2 min read

A new Defray ransomware variant is attacking at targeted sectors. One notable strike was aimed at health care and education verticals, while the other was aimed at manufacturing and technology.

New Ransomware Strain Capabilities

This type of malware has historically been a wide-ranging attack. But that all changes with the new Defray variant.

Proofpoint reported that its researchers came across Defray in the beginning of August during an attack on U.K. manufacturing and technology verticals. It started with a phishing email, with the sender posing as an aquarium representative. The email had the subject “Order/Quote,” along with a Microsoft Word document that contained an embedded executable and an OLE packager shell object.

This attack consisted only of a few messages in total and had lures that were specifically targeted to the victims. When the executable is clicked, the ransomware is dropped in the victim’s %TMP% folder with a name such as taskmgr.exe or explorer.exe. It is then executed.

No file names are changed in this attack, so the threat actors forgo the typical step of extension-marking encrypted files.

Another Day, Another Campaign

A second campaign, this time specific to health care and education, was discovered at the end of August. The poisoned attachment in this case purported to be from the director of Information Management and Technology from a U.K. hospital.

Proofpoint observed that the malware communicated with the command-and-control (C&C) server using both HTTP (cleartext) and HTTPS. Infection information was sent to the server, which was named Defray. This server became known as an identifier for the malware, rather than an appended extension to the encrypted files.

The researchers also noted that the malware authors provided email addresses to further interact with victims and negotiate ransom amounts. Of course, this is one way that the threat actors can be traced, so it remains to be seen how long these addresses are active.

Defray’s Characteristics

The recipients of the malware are individuals or distribution lists, such as group@ and websupport@, Proofpoint found. The geographic targeting is limited to the U.K. and the U.S. so far.

Proofpoint explained that “it is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains.” Instead, the ransomware could be used by specific threat actors with clear objectives.

As always, having current backups of data and not clicking on unknown attachments — no matter how good the social engineering — will be a proactive response to this threat.

 |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

February 14, 2025

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature