{
	"id": "6f6474f9-c565-4384-bca8-c5ee916782ec",
	"created_at": "2026-04-06T00:11:12.420235Z",
	"updated_at": "2026-04-10T03:20:56.726355Z",
	"deleted_at": null,
	"sha1_hash": "ea3b2f49619135af3355371e0156647abfed3a86",
	"title": "Defray Ransomware Sets Sights on Healthcare and Other Industries - Wiadomości bezpieczeństwa",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 258036,
	"plain_text": "Defray Ransomware Sets Sights on Healthcare and Other\r\nIndustries - Wiadomości bezpieczeństwa\r\nArchived: 2026-04-05 16:47:46 UTC\r\nWidespread ransomware attacks are becoming more\r\ncommon, but while the usual “spray and pray” methods allow ransomware to affect the most number of victims\r\npossible, other strategies are more discriminatory.\r\nThe newly discovered Defray (detected by Trend Micro as RANSOM_DEFRAY.A and RANSOM_DEFRAY.B)\r\nransomware employs a more targeted approach. Reports say that Defray distributors are pursuing healthcare,\r\neducation, manufacturing, and technology organizations using a tailored social engineering strategy. These\r\nindustries, healthcare specifically, have always been particular favorites of ransomware authors.\r\nDefray behavior and demands\r\nAs with most ransomware, Defray is spread through phishing emails which try and coerce victims into\r\ndownloading a malicious file. The proliferation of ransomware through email is well-documented. A 2016 report\r\nby Trend Micro found that email was the most common entry point, with 79% of ransomware detected coming\r\nfrom spam mail.\r\nLuckily, the Defray attacks have been relatively small, and so far only minor campaigns have been tracked. The\r\nphishing emails the authors use are well-crafted—for an attack targeting a hospital, the phishing email was from a\r\n“hospital IT manager” and the malicious files were disguised as patient reports. In other emails, the attackers\r\nmasqueraded as a UK-based aquarium company asking for a quote or order, and the malicious file had an\r\n“official” logo attached. The specificity and detail show a definite effort to convince targets of their legitimacy,\r\nand the more tailored lures show the attackers are investing in more specific targets.\r\nhttps://www.trendmicro.com/vinfo/pl/security/news/cyber-attacks/defray-ransomware-sets-sights-on-healthcare-and-other-industries\r\nPage 1 of 3\n\nFigure 1. Defray ransom note includes a specific message for IT department\r\nDespite cosmetic changes to the name, the malicious file is the same. Attackers used a Word document with an\r\nembedded OLE packager object. If the victim clicks on the OLE file, the ransomware (camouflaged as a\r\ntaskmgr.exe or explorer.exe file) is installed. The ransom note that follows asks for US$5,000 in bitcoin and also\r\nincludes three email addresses for contacting the developers. The note actually encourages victims to email them,\r\nand even negotiate payment. The authors also provide an alternative communication channel—BitMessage—in\r\ncase email takes too long. Reports confirm that after encrypting files, Defray will track programs that might\r\ninterfere with its purpose—task manager or web browsers will be shut down with a GUI.\r\nSolutions and recommendations\r\nRansomware authors are becoming smarter with their attacks, and as security professionals become more aware of\r\nnew tricks and techniques they can better defend their organizations and enterprises. There are ransomware best\r\npractices that every IT/system administrator should implement, as well as effective multilayered security solutions\r\nthat can help protect against this threat.\r\nEmail and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™\r\nWeb Security prevent ransomware from ever reaching end users. And as we see more advanced malware evade\r\ntraditional security, Trend Micro Deep Discovery™ Analyzer leverages cross-generational techniques, including\r\nCustom Sandbox Analysis, to detect targeted ransomware. At the endpoint level, Trend Micro™ Smart Protection\r\nSuites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application\r\ncontrol, and vulnerability shielding that minimize the impact of this threat.\r\nTrend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from\r\nthreats that abuses vulnerabilities.\r\nhttps://www.trendmicro.com/vinfo/pl/security/news/cyber-attacks/defray-ransomware-sets-sights-on-healthcare-and-other-industries\r\nPage 2 of 3\n\nDeep Security™ provides protection via the following DPI rule:\r\n1008572-Ransomware Defray\r\nFor TippingPoint the applicable rule is:\r\n29521: HTTPS: Defray Ransomware Data Exfiltration\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/pl/security/news/cyber-attacks/defray-ransomware-sets-sights-on-healthcare-and-other-industries\r\nhttps://www.trendmicro.com/vinfo/pl/security/news/cyber-attacks/defray-ransomware-sets-sights-on-healthcare-and-other-industries\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/pl/security/news/cyber-attacks/defray-ransomware-sets-sights-on-healthcare-and-other-industries"
	],
	"report_names": [
		"defray-ransomware-sets-sights-on-healthcare-and-other-industries"
	],
	"threat_actors": [],
	"ts_created_at": 1775434272,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea3b2f49619135af3355371e0156647abfed3a86.pdf",
		"text": "https://archive.orkl.eu/ea3b2f49619135af3355371e0156647abfed3a86.txt",
		"img": "https://archive.orkl.eu/ea3b2f49619135af3355371e0156647abfed3a86.jpg"
	}
}