A newly discovered form of ransomware called Defray has been discovered that targets healthcare and education.

Discovered by the security firm Proofpoint Inc., the ransomware uses a Microsoft Word document containing an embedded executable that causes a victim’s personal computer to be infected once the document is opened. Those behind Defray attempt to spread it via a targeted “spear phishing” campaign that is sent to group email lists at targeted organizations, pretending to be a group distribution mail out from a senior official. For example, at one hospital, the email pretended to be from a hospital’s information management and technology director.

Once through the door, the ransomware creates files such as taskmgr.exe or explorer.exe in the Windows %TMP% folder and executes, delivering a ransomware message that is presented via a TXT file. The ransomware encrypts a number of files and can also cause other problems on an infected PC, including disabling startup recovery and deleting volume shadow copies.

Although ransomware demands are usually fairly standard, Defray is notably different. The message claims that the victims should contact their information technology department, demands a $5,000 payment, provides a lecture on how a system should be better-secured — and then just gets weird.

The ransom includes three different email addresses where the victim can contact the attackers. It notes that the victim can use the email addresses to ask questions or even try to negotiate a better price for the ransom. But the attackers might be too busy to respond, so they offer a way to contact them via a messaging service as well.

Rransomware is a serious problem on a number of fronts. Steve Moore, vice president and chief security strategist at Exabeam Inc., told SiliconANGLE that there is a deep concern about the theft of valid credentials with these sorts of attacks, creating compliance issues in terms of mandatory reporting in the healthcare industry.

“Most of the time, the outcome of an attack is front-page news, but the actual enabler – the installation of desktop malware and the theft of valid credentials – happens silently,” Moore said. “In today’s cybersecurity landscape, it’s always about the credential.”

Moore added that with Defray targeting U.S. hospitals, there are going to be “many questions and concerns among chief privacy officers in the industry. In speaking and working with several, many in the U.S. healthcare systems aren’t aware of the HHS and HIPAA guidance on ransomware incidents — and now the CPO often sits between the requirement to report and the integrity of their investigation, often requiring IT resources they don’t budget for or control.”

Moore concluded that each attack must be reviewed to make sure there was no breach of personal health information because it could represent a reportable breach scenario.

Image: Pixabay