{
	"id": "f8aab6c6-6dcd-4e76-bde1-1934a8c30e1e",
	"created_at": "2026-04-06T01:30:45.015287Z",
	"updated_at": "2026-04-10T03:21:38.927419Z",
	"deleted_at": null,
	"sha1_hash": "17c51bad8ee24d18c71ff9016ee092a3e1eff535",
	"title": "Defray Ransomware Targets Education \u0026 Healthcare US | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 842417,
	"plain_text": "Defray Ransomware Targets Education \u0026 Healthcare US |\r\nProofpoint US\r\nBy August 24, 2017 Proofpoint Staff\r\nPublished: 2017-08-24 · Archived: 2026-04-06 01:12:01 UTC\r\nDefray Ransomware Overview\r\nProofpoint threat researchers recently analyzed Defray Ransomware, a previously undocumented ransomware\r\nstrain. So far in August, we have observed only two small and selectively targeted attacks distributing this\r\nransomware. One was primarily aimed at Healthcare and Education verticals; another targeted Manufacturing and\r\nTechnology verticals. We selected the name “Defray” based on the command and control (C\u0026C) server hostname\r\nfrom the first observed attack:\r\ndefrayable-listings[.]000webhostapp[.]com\r\nCoincidentally, the verb defray means to provide money to pay a portion of a cost or expense, although what\r\nvictims are defraying in this case is unclear.\r\nDefray Malware Distribution\r\nThe distribution of Defray malware has several notable characteristics:\r\nDefray is currently being spread via Microsoft Word document attachments in email\r\nThe campaigns are as small as several messages each\r\nThe lures are custom crafted to appeal to the intended set of potential victims\r\nThe recipients are individuals or distribution lists, e.g., group@ and websupport@\r\nGeographic targeting is in the UK and US\r\nVertical targeting varies by campaign and is narrow and selective\r\nOn August 22, Proofpoint researchers detected an email campaign targeted primarily at Healthcare and Education\r\ninvolving messages with a Microsoft Word document containing an embedded executable (specifically, an OLE\r\npackager shell object). In the screenshot shown in Figure 1, the attachment uses a UK hospital logo in the upper\r\nright (not shown) and purports to be from the Director of Information Management \u0026 Technology at the hospital.\r\nhttps://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals\r\nPage 1 of 6\n\nFigure 1: The Word document, patient_report.doc, delivered in malicious email messages\r\nThis was similar to a campaign observed by Proofpoint researchers on August 15 targeting Manufacturing and\r\nTechnology verticals and involving messages with the subject “Order/Quote” and a Microsoft Word document\r\ncontaining an embedded executable (also an OLE packager shell object).\r\nIn the August 15 campaign, the attachment used a lure referencing a UK-based aquarium with international\r\nlocations (Figure 2), and purported to be from a representative of the aquarium.\r\nhttps://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals\r\nPage 2 of 6\n\nFigure 2: Word document attachment, presentation.doc, delivered in malicious email messages\r\nIf the potential victim double clicks on the embedded executable, the ransomware is dropped with a name such as\r\ntaskmgr.exe or explorer.exe in the %TMP% folder and executed.\r\nDefray Analysis\r\nTo alert the victim that their computer has been infected and that their files are encrypted, this ransomware creates\r\nFILES.TXT (Figure 3) in many folders throughout the system. HELP.txt, with identical content to FILES.txt, also\r\nhttps://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals\r\nPage 3 of 6\n\nappeared on the Desktop folder where we executed the ransomware.\r\nFigure 3: FILES.txt ransom message\r\nThe ransom note shown in Figure 3 follows a recent trend of fairly high ransom demands; in this case, $5000.\r\nHowever, the actors do provide email addresses so that victims can potentially negotiate a smaller ransom or ask\r\nquestions, and even go so far as to recommend BitMessage as an alternative for receiving more timely responses.\r\nAt the same time, they also recommend that organizations maintain offline backups to prevent future infections.\r\nThe ransomware contains a hardcoded list of file extensions, shown below, for files that it will encrypt (although\r\nwe observed others such as .lnk and .exe encrypted that were not on this list). The file extensions of modified files\r\nwere not changed. We observed that the modified files all end in bytes “30 82 04 A4 02 01 00 02 82 01 01 00 9F\r\nCF 52 84” for our sample. We did not investigate the specifics of the encryption routine.\r\nhttps://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals\r\nPage 4 of 6\n\n.001 | .3ds | .7zip | .MDF | .NRG | .PBF | .SQLITE | .SQLITE2 | .SQLITE3 | .SQLITEDB | .SVG | .UIF | .WMF |\r\n.abr | .accdb | .afi | .arw | .asm | .bkf | .c4d | .cab | .cbm | .cbu | .class | .cls | .cpp | .cr2 | .crw | .csh | .csv | .dat | .dbx |\r\n.dcr | .dgn | .djvu | .dng | .doc | .docm | .docx | .dwfx | .dwg | .dxf | .fla | .fpx | .gdb | .gho | .ghs | .hdd | .html | .iso |\r\n.iv2i | .java | .key | .lcf | .matlab | .max | .mdb | .mdi | .mrbak | .mrimg | .mrw | .nef | .odg | .ofx | .orf | .ova | .ovf |\r\n.pbd | .pcd | .pdf | .php | .pps | .ppsx | .ppt | .pptx | .pqi | .prn | .psb | .psd | .pst | .ptx | .pvm | .pzl | .qfx | .qif | .r00 |\r\n.raf | .rar | .raw | .reg | .rw2 | .s3db | .skp | .spf | .spi | .sql | .sqlite-journal | .stl | .sup | .swift | .tib | .txf | .u3d | .v2i |\r\n.vcd | .vcf | .vdi | .vhd | .vmdk | .vmem | .vmwarevm | .vmx | .vsdx | .wallet | .win | .xls | .xlsm | .xlsx | .zip\r\nDefray has been observed communicating with an external C\u0026C server via both HTTP (clear-text, shown in\r\nFigure 4) and HTTPS, to which it will report infection information.\r\nFigure 4: Screenshot of the clear-text C\u0026C beacon\r\nAfter encryption is complete, Defray may cause other general havoc on the system by disabling startup recovery\r\nand deleting volume shadow copies. On Windows 7 the ransomware monitors and kills running programs with a\r\nGUI, such as the task manager and browsers. We have not observed the same behavior on Windows XP.\r\nConclusion\r\nDefray Ransomware is somewhat unusual in its use in small, targeted attacks. Although we are beginning to see a\r\ntrend of more frequent targeting in ransomware attacks, it still remains less common than large-scale “spray and\r\npray” campaigns. It is also likely that Defray is not for sale, either as a service or as a licensed application like\r\nmany ransomware strains. Instead, it appears that Defray may be for the personal use of specific threat actors,\r\nmaking its continued distribution in small, targeted attacks more likely. We will continue to monitor this threat and\r\nprovide updates as new information emerges.\r\nDefray Ransomware Indicators of Compromise (IOCs)\r\nIOC IOC Type Description\r\n947b360b76dd815f5b5d226b8a9aba22fe6b5589a3c16c765625ce2f9d1f5db2 sha256 Defray binary\r\ndefrayable-listings.000webhostapp[.]com dns C\u0026C Domain\r\nhttps://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals\r\nPage 5 of 6\n\n145.14.145[.]115 ip C\u0026C IP\r\nkinaesthetic-electr.000webhostapp[.]com dns C\u0026C Domain\r\n08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4 sha256 Defray binary\r\nET and ETPRO Suricata/Snort Signatures\r\n2827545          ETPRO TROJAN W32.Defray Ransomware Checkin\r\n2827635          ETPRO TROJAN Observed Malicious Domain SSL Cert in SNI (Defray Ransomware)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals\r\nhttps://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals"
	],
	"report_names": [
		"defray-new-ransomware-targeting-education-and-healthcare-verticals"
	],
	"threat_actors": [],
	"ts_created_at": 1775439045,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17c51bad8ee24d18c71ff9016ee092a3e1eff535.pdf",
		"text": "https://archive.orkl.eu/17c51bad8ee24d18c71ff9016ee092a3e1eff535.txt",
		"img": "https://archive.orkl.eu/17c51bad8ee24d18c71ff9016ee092a3e1eff535.jpg"
	}
}