Defray ransomware is the dangerous cryptovirus that keeps targeting the health-care industry
Defray virus is a ransomware that locks data using AES and RSA encryption algorithms.
Questions about Defray ransomware virus
Defray ransomware is a dangerous virus that seeks to gain profit from various companies (health care industry in particular) by encrypting their data and demanding ransom. After being discovered in 2017, Defray virus came back in November 2018 with a few new distinct features. This highly-targeted cryptovirus is using both AES-256 and RSA-2048 encryption algorithms. Once it finishes its encryption, it displays a personalized !!!_Read_Me_How_To_DeCrypt_Files_!!!.txt ransom note. The most interesting part of the attack is that the text in the ransom note, extension, and email address are tailored to each victim separately.
|Targets||Health Care industry, companies, and businesses|
|File extension||.*** 777 or random characters containing victim's identification|
|Ransom note||!!!_Read_Me_How_To_DeCrypt_Files_!!!.txt; FILES.txt and HELP.txt|
|Encryption method||AES-256 and RSA-4096|
|Elimination||Use antivirus and remove Defray ransomware|
In the beginning, the ransomware was spreading in the UK and the US countries. Its main features included the following:
- encrypts data with the combination of AES-256 and RSA-2048 algorithms;
- demands $5000 in ransom;
- targets preselected companies, education institutions, and hospitals;
- spreads via .doc files;
- disables startup recovery and monitors Task Manager commands;
- deletes shadow volume copies.
Furthermore, the cybercriminals present three email addresses to contact them for files' recovery:
Though email domains suggest that perpetrator might be a Russian speaker, it might be only a diversion as the ransom note is written in the sophisticated and correct English manner. Despite the warnings noted in the ransom message, we urge you to remove Defray ransomware. Reimage might be of assistance in this process and PC repair.
Since the malware does not target all companies globally, but only a selected number of them, it is likely that the perpetrator or a group of them are seeking to extort money rather than cause global chaos as it has been with the cases of WannaCry and Petya viruses. However, there is no doubt that you should take care of Defray removal right after it reveals about itself on your computer system.
Defray ransomware functionality
After a targeted user clicks on the infected .doc file, they will see a counterfeited message supposedly containing an integrated video message. To activate the ransomware, the victims have to launch the video. Since the malware targets hospitals, the file was called “Patient Report.”
Interestingly, the malware was already detected on August 15. At that time, the infected .doc file contained a supposed video including a video presentation. The malware gained its name due to the request command to defrayable-listings.000webhostapp[.]com. Besides, the malware is known to target some different file formats. The malware is not likely to append any exceptional file extensions.
Defray ransomware also leaves two files – FILES.txt and HELP.txt — with the identical content. The message does not contain any exaggerated warning. Here is a short extract of it:
Don’t panic, read this and contact someone from IT department.
Your computer has been infected with a virus known as ransomware. All files including your personal or business documents, backups and projects are encrypted.
Encryption is very sophisticated and without paying a ransom you won’t get your files back.
You could be advised not to pay, but you should anyway get in touch with us.
Ransom value for your files is 5000$ to be paid in digital currency called bitcoins.
If you have questions, write us.
If you have doubts, write us.
If you want to negotiate, write us.
The new version of Defray is tailoring extensions and email addresses to each victim
The latest version of Defray ransomware was discovered in November of 2018. It differs from the previous ransomware variant because it uses a few distinct features to the mix:
- adds .*** 777 file marker to encoded data;
- targets companies in various industries;
- the most recent version focuses on the health-care industry;
- the ransom added on the system Read_Me_How_To_DeCrypt_Files !!!__!!!.txt;
- the email is named according to the victim with the @yandex.ru;
- the ransom message is also personalized to each victim.
The ransom note displays the following:
Don't panic, read this and contact someone from IT department.
Your computer has been infected with a virus known as ransomware.
All files including your personal, confidential or business documents, backups and projects are encrypted.
We have also downloaded all information about your clients including their personal data.
If you want to restore all your files, avoid harm to your reputation (which may lead you to bankrupt), save your Intellectual property and personal data of your clients, you need to make the payment.
Otherwise, all you files including your customer's information, will be posted on the Internet.
We can decrypt for you one of the files (about 50kb) for free, so you have no doubts in data security and possibility to restore the files any time.
After the full payment, all data will be restored on all computers of your network.
We accept payments in Bitcoin.
Make sure to make payment as soon as possible to avoid any penalty.
Don't hesitate to contact us.
Our e-mail: [redacted]@yandex.ru
In case we don't respond to an email within one day, download application called BitMessage and reach to us for the fastest response.
BitMessage identity: BM-2cXL8BPGoPKnTvoUVGDwFXmUoQmkVdzsGm
BitMessage homelink: https://bitmessage.org
This is custom developed ransomware, decrypter won't be made by an antivirus company.
This one doesn't even have a name.
It uses AES-256 for encrypting files, RSA-4096 for storing encrypted AES-256 password.
It's written in C and have passed many quality assurance tests.
IN ORDER TO PREVENT DATA DAMAGE:
– DO NOT MODIFY ENCRYPTED FILES
– DO NOT CHANGE DATA BELOW
Employ reputable anti-malware tools and make sure that Defray ransomware removal is performed properly. You cannot decrypt encoded files, so delete this malware and then try data backups to replace affected files with safe ones. Also, you can check data recovery methods below the article. We have a few tips on virus termination too.
Defray ransomware is a virus that released new variant after more than a year from the initial discovery.
Ransomware spreads via email attachments
Ransomware is a threat that uses silent infiltration techniques and starts malicious processes immediately after infection. It spreads mainly through spam emails. Thus, beware that the file containing this malware might be named as the file supposedly sent from an official institution.
The file may also be named as an invoice. Such emails also contain a lack of proper credentials or typos, but the primary information can be disguised as official PayPal, Amazon or eBay notice with financial documents attached to the email.
Remember that other malware can also be responsible for cyber infections like this. Trojans may get on the system via same malicious macros in MS document. However, many hackers design trojans as ransomware payload distributors.
Eliminate Defray malware and fix virus damage
All ransomware developers will warn you not to use any third-party data recovery tools. However, there are alternatives. Indeed, due to the sophistication of this malware, there is no decryption tool available yet. You need a complete Defray ransomware removal instead.
To remove Defray ransomware you need reputable anti-malware tools like Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. In case you cannot launch the malware removal utility, you will benefit from the below instructions.
Though the threat deletes shadow volume copies, you might restore the data from backup copies. At the very bottom of the page, you might find some of the recommended tools to be of use.
To remove Defray virus, follow these steps:
Remove Defray using Safe Mode with Networking
In case the malware prevents you from launching malware elimination program reboot Windows in Safe Mode. Then you will be able to complete Defray removal./GI]
[GI=method-2]Also try System Restore feature in Defray ransomware removal
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Defray
Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Defray removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove Defray from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by Defray, you can use several methods to restore them:
What is Data Recovery Pro?
This tool is designed to assist users in retrieving damaged and lost files. It might be helpful in recovering the files affected by Defray virus as well.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Defray ransomware;
- Restore them.
Windows Previous Version feature is yet another alternative for file backups that you can freely use
If System Restore was enabled before, you could restore files using Windows Previous Versions feature
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Decryption is not possible
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Defray and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes