Defray ransomware strikes hospitals and companies
Defray virus defines a new file-encrypting threat which seeks to encrypt victim’s files with AES-256 algorithm. The very key is encrypted with RSA-2048. The malware is currently mainly spread in the UK and the US countries. Here are the main features of the malware:
- encrypts data with AES-256 and RSA-2048 algorithm combination
- demands $5000 in ransom
- targets mainly selected companies, education institutions, and hospitals
- spreads via .doc files
- disables startup recovery and monitors Task Manager commands
- deletes shadow volume copies
Furthermore, the cyber criminals present three email addresses: firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org.
Though the email domains suggest that perpetrator might be a Russian speaker, it might be only a diversion as the ransom note is written in the sophisticated and correct English manner. Despite the warnings noted in the ransom message, we urge you to remove Defray malware. Reimage or Plumbytes Anti-MalwareNorton Internet Security might be of assistance in this process.
Since the malware does not target all companies globally, but only a selected number of them, it is likely that the perpetrator or a group of them are organized and attempt to extort money rather than cause global chaos as were the cases with WannaCry and Petya.A.
Many unanswered questions
After a targeted user clicks on the infected .doc file, they will see a counterfeited message supposedly containing an integrated video message. In order to activate the ransomware, the victims have to launch the video. Since the malware targets hospitals, the file was called “Patient Report.”
Interestingly, the malware was already detected on August 15. At that time, the infected .doc file contained a supposed video including a video presentation. The malware gained its name due to the request command to defrayable-listings.000webhostapp[.]com. In addition, the malware is known to target a number of different file formats. The malware is not likely to append any exceptional file extensions.
Questions about Defray ransomware virus
Defray ransomware also leaves two files – FILES.txt and HELP.txt — with the identical content. The message does not contain any exaggerated warning. Here is a short extract of it:
Don’t panic, read this and contact someone from IT department.
Your computer has been infected with a virus known as ransomware. All files including your personal or business documents, backups and projects are encrypted.
Encryption is very sophisticated and without paying a ransom you won’t get your files back.
You could be advised not to pay, but you should anyway get in touch with us.
Ransom value for your files is 5000$ to be paid in digital currency called bitcoins.
If you have questions, write us.
If you have doubts, write us.
If you want to negotiate, write us.
Malware distribution range remains low
Though the distribution range is still quite low since the crypto-malware targets only selected companies, educational and medical institutions in the US and UK, it still employs quite diverse transmission techniques.
It spreads mainly through spam emails. Thus, beware that the file containing this malware might be named as the file supposedly sent from an official institution. The file may also be named as an invoice. Such emails also contain the lack of proper credentials or typos.
Note that phishing sites may also facilitate Defray hijack. In order to ward off its trojan, you should update your security tools. Having a couple of different type of these programs might be a more wise decision. Now let us proceed to Defray removal.
Get rid of Defray malware
All ransomware developers will warn you not to use any third-party data recovery tools. However, there are alternatives. Indeed, due to the sophistication of this malware, there is no Defray Decrypter available yet.
Nonetheless, make a rush to remove Defray virus. In case you cannot launch the malware removal utility, you will benefit from the below instructions. Though the threat deletes shadow volume copies, you might restore the data from backup copies. At the very bottom of the page, you might find some of the recommended tools to be of use.
To remove Defray virus, follow these steps:
Remove Defray using Safe Mode with Networking
In case the malware prevents you from launching malware elimination program reboot Windows in Safe Mode. Then you will be able to complete Defray removal./GI]
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Defray
Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Defray removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove Defray from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by Defray, you can use several methods to restore them:
What is Data Recovery Pro?
This tool is designed to assist users in retrieving damaged and lost files. It might be helpful in recovering the files affected by Defray virus as well.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Defray ransomware;
- Restore them.