Friday, May 2, 2025
HomeRansomwareBeware: New "Defray" Ransomware Attack Spreading Via Microsoft Word Document

Beware: New “Defray” Ransomware Attack Spreading Via Microsoft Word Document

Published on

SIEM as a Service

Follow Us on Google News

A New Emerging  Ransomware Attack called “Defray” Distributing through Microsoft Word Document and send it through Phishing Email Campaign.

According to this  Defray Ransomware functionality and communication, potentially targeting Healthcare and Education industries.

Defray Ransomware mainly Targeting geographic location is  UK and US where it can target Manufacturing and Technology industries as well.

- Advertisement - Google News

Defray Name selected and Named by proofpoint based on the Ransomware variant C&C Server communication “defrayable-listings[.]000webhostapp[.]com” hostname .

 The verb “defray” means to provide money to pay a portion of a cost or expense, although what victims are defraying in this case is unclear. 

Also Read:  Now Any One Can Create Ransomware With No Coding Skills

Defray Ransomware Attack spreading Functionality

Initially, Victim Receiving An Email that contains an attached Malicious Word Document with Embedded Executable specifically an OLE package shell object.

Malicious Word Document looks like a Patents  Medical report that belongs to UK hospital logo which came from the  Director of Information Management & Technology at the hospital.

Ransomware Attack

Malicious Embedded Word Document

Later, It forced to Victim to Double click on the Executable to initiate the Process.

Once Victims Double Click the Embedded Executable, as usual, the ransomware is dropped with a name such as taskmgr.exe or explorer.exe in the %TMP% folder and executed.

It will Alert the to Victims that your files are encrypted After its successful execution of the ransomware.

Ransomware Attack

Defray Ransomware notes 

This ransomware creates FILES.TXT (Figure 3) in many folders throughout the system. HELP.txt, with identical content to FILES.txt, also appeared on the Desktop folder where we executed the ransomware.

According to Ransomware notes, Attacker Demand $5000 to recover the files as a Bitcoin Digital Currency.

The attacker also provides an Email ID for Any further questions, Doubts, negotiation for the Recovery Process.

Defray can able to encrypt following file Extensions.

.001 | .3ds | .7zip | .MDF | .NRG | .PBF | .SQLITE | .SQLITE2 | .SQLITE3 | .SQLITEDB | .SVG | .UIF | .WMF | .abr | .accdb | .afi | .arw | .asm | .bkf | .c4d | .cab | .cbm | .cbu | .class | .cls | .cpp | .cr2 | .crw | .csh | .csv | .dat | .dbx | .dcr | .dgn | .djvu | .dng | .doc | .docm | .docx | .dwfx | .dwg | .dxf | .fla | .fpx | .gdb | .gho | .ghs | .hdd | .html | .iso | .iv2i | .java | .key | .lcf | .matlab | .max | .mdb | .mdi | .mrbak | .mrimg | .mrw | .nef | .odg | .ofx | .orf | .ova | .ovf | .pbd | .pcd | .pdf | .php | .pps | .ppsx | .ppt | .pptx | .pqi | .prn | .psb | .psd | .pst | .ptx | .pvm | .pzl | .qfx | .qif | .r00 | .raf | .rar | .raw | .reg | .rw2 | .s3db | .skp | .spf | .spi | .sql | .sqlite-journal | .stl | .sup | .swift | .tib | .txf | .u3d | .v2i | .vcd | .vcf | .vdi | .vhd | .vmdk | .vmem | .vmwarevm | .vmx | .vsdx | .wallet | .win | .xls | .xlsm | .xlsx | .zip

“Defray has been observed communicating with an external C&C server via both HTTP  and HTTPS, to which it will report infection information.”

Finally, Defray Encrypt the files and disabling startup recovery and deleting volume shadow copies.

On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers.Proofpoint said.

Image Credits :Proofpoint

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Tsunami Malware Surge: Blending Miners and Credential Stealers in Active Attacks

Security researchers have recently discovered a sophisticated malware operation called the "Tsunami-Framework" that combines...

The Double-Edged Sword of AI in Cybersecurity: Threats, Defenses & the Dark Web Insights Report 2025

Check Point Research's latest AI Security Report 2025 reveals a rapidly evolving cybersecurity landscape...

Hackers Exploit New Eye Pyramid Offensive Tool With Python to Launch Cyber Attacks

Security researchers from Intrinsec have published a comprehensive analysis revealing significant overlaps in...

Hackers Exploit Critical NodeJS Vulnerabilities to Hijack Jenkins Agents for RCE

Security researchers have identified critical vulnerabilities in the Node.js CI/CD infrastructure, exposing internal Jenkins...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Uncovered RansomHub Operation and it’s Relation With Qilin Ransomware

Security researchers have identified significant connections between two major ransomware-as-a-service (RaaS) operations, with evidence...

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...