Defray Ransomware
The Defray Ransomware is an encryption threat known as the Glushkov Ransomware. Some older versions from 2017 have used email addresses containing the string 'Glushkov' in their contacts with the attack's victims. The Defray Ransomware can be quite effective in its attack. Written using C++ and designed to encrypt the victims' files through a combination of the AES and RSA encryption algorithms, this malware makes sure the affected files become inaccessible. Then, it demands a ransom payment in exchange for the decryption key necessary to restore the affected content.
In the past three years, Defray has evolved into an entire ransomware family, also known as RansomExx and Ransom X silently. Analyzing available decryptors from early 2018 shows a consistent encryption and decryption methodology, as well as the fact that the malware authors have used Themida for packing the decryptors. Furthermore, the latest research uncovers a relationship between Defray Ransomware and two other known malware threats – the Vatet Loader and the PyXie Remote Access Tool (RAT). Remnants of these three threats altogether have been detected in several successful ransomware operations against organizations from the healthcare, education, government and financial sectors. A profound investigation of the Vatet Loader, PyXie, and Defray indicated that they are the craftwork of one group of threat actors, which operates in early 2018 and derives its financial means from the same source.
Though there hasn't been much light on these attacks as the cybercrooks have operated "low and slow," executing the malware entirely in the memory of affected systems, researchers now bring the issue to a broader discussion, hoping that any future activities of these threat actors would not again remain under the radar as they did so far.
Table of Contents
The Defray Ransomware Infection Chain Involves the Vatet Loader and the PyXie RAT
Analysis of the latest Defray samples in 2020 shows a particular infection chain that includes the Vatet Loader and the PyXie RAT. The threat group has exploited an evolved version of Vatet Loader by modifying the original application through various different open-source tools. As a result, the first stage of a Defray attack consists of installing a ramped-up Vatet Loader, which then executes a PyXie payload (in some cases, Cobalt Strike is used as well). In the second phase, threat actors put a tailored version of PyXie, called PyXie Lite in action, to find and exfiltrate potentially vulnerable files on the target organization. In some of the incidents, the actors had set a foothold on the victim's network through a common banking Trojan, like Trickbot or IcedID previously. Then, the attack continues with Vatet, PyXie, and the Cobalt Strike deployment, followed, finally, by the execution of the Defray Ransomware in the memory of the target system entirely. The ransomware then encrypts files on local drives and file shares before exiting without leaving any traces, except for the catastrophic damage of making crucial files inaccessible and dropping ransom notes in each affected directory.
The First Ransomware Ever with Independent Executables for Both Windows and Linux
Another notable issue concerning the Defray Ransomware is that the threat actors behind it have done something unseen in the ransomware industry yet – they have ported the malware from Windows to Linux, making Defray the first ransomware threat ever to have standalone executables for both Windows and Linux. Interestingly, the encryption and decryption processes used in the Windows and Linus Defray variants were absolutely identical. In fact, researchers could even confirm that the encryption and decryption keys for both operating systems were interchangeable. Unlike the Windows versions, however, the Linux samples were not protected and could easily be reverse-engineered. Another major difference is the logic behind the selection of the files to encrypt. Defray for Windows would encrypt anything that is not explicitly excluded, while the Linux version only encrypts specified directories.
Defray Ransomware’s Encryption Process
Researchers found that Defray has a unique mechanism to prioritize its processes on impacted systems while analyzing a sample. During execution, it uses SetProcessPriorityBoost, SetThreadAffinityMask, and SetThreadPriorityBoost to prioritize its encryption threads, along with multithreading for improved ransomware performance. The killing of "undesirable" processes also is a part of Defray workflow, while at the same time, the malware creates a list of processes to be excluded from killing. All processes that contain the system file path and some other processes like wefault.exe, powershell.exe, explorer.exe, rundll32.exe on that list. Additionally, to ensure its proper execution, Defray stops a number of Windows services from running.
Before the encryption begins, Defray calls a list of all drives on the system and then starts going through each drive to encrypt the target files. Target files are found on all local drives, external memory devices connected to the infected PC, including files carried on the network shared storage. The Defray Ransomware will encipher files that have the extensions specified below:
.001, .3ds, .7zip, .MDF, .NRG, .PBF, .SQLITE, .SQLITE2, .SQLITE3, .SQLITEDB, .SVG, .UIF, .WMF, .abr, .accdb, .afi, .arw, .asm, .bkf, .c4d, .cab, .cbm, .cbu, .class, .cls, .cpp, .cr2, .crw, .csh, .csv, .dat, .dbx, .dcr, .dgn, .djvu, .dng, .doc, .docm, .docx, .dwfx, .dwg, .dxf, .exe, .fla, .fpx, .gdb, .gho, .ghs, .hdd, .html, .iso, .iv2i, .java, .key, .lcf, .lnk, .matlab, .max, .mdb, .mdi, .mrbak, .mrimg, .mrw, .nef, .odg, .ofx, .orf, .ova, .ovf, .pbd, .pcd, .pdf, .php, .pps, .ppsx, .ppt, .pptx, .pqi, .prn, .psb, .psd, .pst, .ptx, .pvm, .pzl, .qfx, .qif, .r00, .raf, .rar, .raw, .reg, .rw2, .s3db, .skp, .spf, .spi, .sql, .sqlite-journal, .stl, .sup, .swift, .tib, .txf, .u3d, .v2i, .vcd, .vcf, .vdi, .vhd, .vmdk, .vmem, .vmwarevm, .vmx, .vsdx, .wallet, .win, .xls, .xlsm, .xlsx, .zip.
Defray also determines the system processor type and then decides what complex mathematical operation can be done and which encryption algorithm can be used for improved performance.
Each attacked file is encrypted through a dynamically generated 32-byte AES key, which in turn, is encrypted with an RSA-4096 algorithm and stored in the file footer. Defray Ransomware then appends a special extension to each encrypted file consisting of a unique victim identifier and a random hexadecimal number with eight digits – ".v1ct1m-1bc461ac". Though Defray tries to encrypt as many files as possible, it also wants to avoid impacting the system's core functionalities, so it compares each file against a list of files, folders, and file extensions that should not be locked. Some of the excluded folders are:
- \appdata\locallow\
- \windows\system32\
- :\boot\
- \all users\microsoft\
After encryption is complete, Defray implements some standard anti-forensic measures to remove as much evidence of its presence as possible, while leaving the system and affected files recoverable only through a suitable backup. These measures include the modification of certain registry keys:
- \Software\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableConfig
- \SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
- \SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig
- \Software\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
Defray Ransomware’s Unreasonable Ransom Demands
In its initial variants from 2017, the Defray Ransomware demanded a huge ransom of 5000 USD to restore access to the infected files. It was likely that the people responsible for the attack would require an even biger amount if they assume that the targeted computer belongs to a large company. Back then, Defray Ransomware's ransom note was stored in two text files named 'FILES.TXT' and 'HELP.txt,' dropped in the Windows Documents Library and on the infected computer desktop. The ransom note used in these older Defray Ransomware attack read:
'Don't panic, read this and contact someone from IT department.
Your computer has been infected with a virus known as ransomware.
All files including your personal or business documents, backups and projects are encrypted.
Encryption is very sophisticated and without paying a ransom you won't get your files back.
You could be advised not to pay, but you should anyway get in touch with us.
Ransom value for your files is 5000$ to be paid in digital currency called Bitcoin.
If you have questions, write us.
If you have doubts, write us.
If you want to negotiate, write us.
If you want to make sure we can get your files back, write us.
glushkov@protonmail.ch
glushkov®tutanota.de
igor.glushkov.83@mail.ru
In case we don't respond to an email within one day, download application called BitMessage and reach to us for the fastest response.
BitMessage BM-2cVPRqFb5ZRaMuYdryqxsMNxFMudibvnY6
###
To someone from IT department
This is custom developed ransomware, decrypter won't be made by an antivirus company. This one doesn't even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It's written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups.
###'
In the latest samples of Defray, a ransom note is placed in each directory that contains encrypted files. The name of the ransom note can vary, yet it is typically a combination of exclamation points, followed by the string "README" and some reference to the victim's name:
"!!!_IMPACTED_Client_README_!!!.txt". Belo, there is an example of a ransom note text:
‘Hello <Redacted> (NASDAQ: <Redacted>)!!!
Inspect this message CLOSELY and contact someone from technical division.
Your data is securely ENCRYPTED.
CORRECTION names or content of encrypted items (*.<Redacted>) can make recovering problems.
Mail us any encrypted document (smaller than 800KB) and we would restore it.
Affected file SHOULD NOT have sensitive intelligence.
The rest of data will be available behind PAYING.
We ask you not to contact cops as they will BLOCK your bank accounts to inhibit payment. Reach us BUT if you responsible for all business.
<RedactedAprotonmail.com'
Computer users should refrain from accepting to pay any ransom demanded by the Defray Ransomware instead of using a reliable backup system to restore files compromised by the infection.
