Severity scale:  

Defray ransomware virus. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware

Defray ransomware strikes hospitals and companies

Defray sample

Defray virus defines a new file-encrypting threat which seeks to encrypt victim’s files with AES-256 algorithm. The very key is encrypted with RSA-2048. The malware is currently mainly spread in the UK[1] and the US countries. Here are the main features of the malware:

  • encrypts data with AES-256 and RSA-2048 algorithm combination
  • demands $5000 in ransom
  • targets mainly selected companies, education institutions, and hospitals
  • spreads via .doc files
  • disables startup recovery and monitors Task Manager commands
  • deletes shadow volume copies[2]

Furthermore, the cyber criminals present three email addresses:,, and

Though the email domains suggest that perpetrator might be a Russian speaker, it might be only a diversion as the ransom note is written in the sophisticated and correct English manner. Despite the warnings noted in the ransom message, we urge you to remove Defray malware. Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes might be of assistance in this process.

Since the malware does not target all companies globally, but only a selected number of them, it is likely that the perpetrator or a group of them are organized and attempt to extort money rather than cause global chaos as were the cases with WannaCry and Petya.A.

Many unanswered questions

After a targeted user clicks on the infected .doc file, they will see a counterfeited message supposedly containing an integrated video message. In order to activate the ransomware, the victims have to launch the video. Since the malware targets hospitals, the file was called “Patient Report.”[3]

Interestingly, the malware was already detected on August 15. At that time, the infected .doc file contained a supposed video including a video presentation. The malware gained its name due to the request command to defrayable-listings.000webhostapp[.]com. In addition, the malware is known to target a number of different file formats. The malware is not likely to append any exceptional file extensions.

Questions about Defray ransomware virus

Defray ransomware also leaves two files – FILES.txt and HELP.txt — with the identical content. The message does not contain any exaggerated warning. Here is a short extract of it:

Don’t panic, read this and contact someone from IT department.
Your computer has been infected with a virus known as ransomware. All files including your personal or business documents, backups and projects are encrypted.
Encryption is very sophisticated and without paying a ransom you won’t get your files back.
You could be advised not to pay, but you should anyway get in touch with us.
Ransom value for your files is 5000$ to be paid in digital currency called bitcoins.
If you have questions, write us.
If you have doubts, write us.
If you want to negotiate, write us.

Malware distribution range remains low

Though the distribution range is still quite low since the crypto-malware targets only selected companies, educational and medical institutions in the US and UK, it still employs quite diverse transmission techniques.

It spreads mainly through spam emails. Thus, beware that the file containing this malware might be named as the file supposedly sent from an official institution. The file may also be named as an invoice. Such emails also contain the lack of proper credentials or typos.

Note that phishing sites may also facilitate Defray hijack. In order to ward off its trojan, you should update your security tools. Having a couple of different type of these programs might be a more wise decision. Now let us proceed to Defray removal.

Get rid of Defray malware

All ransomware developers will warn you not to use any third-party data recovery tools. However, there are alternatives. Indeed, due to the sophistication of this malware, there is no Defray Decrypter available yet.

Nonetheless, make a rush to remove Defray virus. In case you cannot launch the malware removal utility, you will benefit from the below instructions. Though the threat deletes shadow volume copies, you might restore the data from backup copies[4]. At the very bottom of the page, you might find some of the recommended tools to be of use.

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Defray virus, follow these steps:

Remove Defray using Safe Mode with Networking

In case the malware prevents you from launching malware elimination program reboot Windows in Safe Mode. Then you will be able to complete Defray removal./GI]


  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Defray

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Defray removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Defray from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Defray, you can use several methods to restore them:

What is Data Recovery Pro?

This tool is designed to assist users in retrieving damaged and lost files. It might be helpful in recovering the files affected by Defray virus as well.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Defray ransomware;
  • Restore them.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Defray and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions


Removal guides in other languages