This post is also available in: 日本語 (Japanese)
Threat Assessment: Defray777 Ransomware
Executive Summary
Defray is a malware family that was first discovered in 2017. It has been seen propagating via small and targeted phishing campaigns that trick users into downloading malicious files such as Microsoft Word documents. Defray777, however, also known as Defray 2018, Target777, Ransom X and RansomEXX, is a much more sophisticated strain of ransomware that has been active since 2018. This newer variant of malware has been seen leveraging novel techniques to undermine detection and is attributed to the threat group referred to as Sprite Spider and GOLD DUPONT.
Defray777 Ransomware Overview
Rather than being delivered via common ransomware attack vectors such as phishing campaigns, in 2020, the Defray777 ransomware was delivered in tandem with other tools such as the Vatet loader, PyXie RAT, and Cobalt Strike through low-volume, targeted attacks against multiple organizations.
Defray777 is unique in that it runs entirely in memory, making it more elusive and harder to track for security researchers. During its execution, Defray777 has the ability to kill certain “undesirable” threads and processes such as powershell.exe, rundll32.exe, vmnat.exe, wefault.exe and explorer.exe. It is capable of encrypting files using AES-256 cryptography while not disrupting a system’s core functionality, and it only runs commands after encryption is completed as a means of evading detection during the encryption process. This effectively makes it so that files are already encrypted by the time security tools, such as EDR platforms, are able to alert on Defray777’s malicious activity. In 2020, Defray777 has evolved to not only target Windows platforms, but Linux as well through a recent port, making it the first ransomware to have a standalone executable across both Windows and Linux. Because of this, threat actors have been able to leverage Defray777 against infrastructure that is capable of running ELF binaries, such as VMWare ESXI servers.
In 2020, Defray777 threat actors targeted the healthcare, education, manufacturing, government, construction and engineering, and high tech sectors in the U.S., Canada, Australia, Japan, France and Brazil. Ransom demands are typically tailored to specific victims.
We previously published a more in-depth analysis of Defray777 ransomware.
More information on Defray777 victimology can be found in the 2021 Unit 42 Ransomware Threat Report.
Courses of Action
This section documents relevant tactics, techniques and procedures (TTPs) used with Defray777 and maps them directly to Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their devices are configured correctly.
Product / Service | Course of Action |
Initial Access | |
The below courses of action mitigate the following techniques: Spearphishing Attachment [T1566.001] |
|
NGFW | Set up File Blocking |
Threat Prevention† | Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' |
Ensure a secure antivirus profile is applied to all relevant security policies | |
WildFire† | Ensure that WildFire file size upload limits are maximized |
Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles | |
Ensure a WildFire Analysis profile is enabled for all security policies | |
Ensure forwarding of decrypted content to WildFire is enabled | |
Ensure all WildFire session information settings are enabled | |
Ensure alerts are enabled for malicious files detected by WildFire | |
Ensure 'WildFire Update Schedule' is set to download and install updates every minute | |
Cortex XDR | Configure Malware Security Profile |
Cortex XSOAR | Deploy XSOAR Playbook - Phishing Investigation - Generic V2 |
Deploy XSOAR Playbook - Endpoint Malware Investigation | |
Initial Access, Lateral Movement | |
The below courses of action mitigate the following techniques: Replication Through Removable Media [T1091] |
|
Cortex XDR | Enable Device Control |
Privilege Escalation, Defense Evasion | |
The below courses of action mitigate the following techniques: Process Injection [T1055] |
|
Cortex XDR | Enable Anti-Exploit Protection |
Enable Anti-Malware Protection | |
Defense Evasion, Discovery | |
The below courses of action mitigate the following techniques: Masquerade Task or Service [T1036.004], Process Discovery [T1057] |
|
Cortex XDR | Configure Behavioral Threat Protection under the Malware Security Profile |
Impact | |
The below courses of action mitigate the following techniques: Data Encrypted for Impact [T1486], Inhibit System Recovery [T1490] |
|
Cortex XSOAR | Deploy XSOAR Playbook - Ransomware Manual for incident response. |
Deploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation |
Table 1. Courses of Action for Defray777 ransomware.
†These capabilities are part of the NGFW security subscriptions service.
Conclusion
Defray777 is a perfect example of how a ransomware family can evolve over time to wreak havoc in entirely new ways. Furthermore, the inception of this newer variant emphasizes that threat actors can remain under the radar by leveraging unique tactics to evade modern methods of detection. The expansion of this ransomware family into affecting additional platforms, such as Linux, could possibly forecast its greater impact in the future.
Palo Alto Networks detects and prevents Defray777 in the following ways:
- WildFire: All known samples are identified as malware.
- Cortex XDR with:
- Indicators for Defray777.
- Anti-Ransomware Module to detect Defray777 encryption behaviors.
- Local Analysis detection to detect Defray777 binaries.
- Next-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which are also categorized as malware in URL Filtering.
- AutoFocus: Tracking related activity using the RansomX tag.
Additionally, Indicators of Compromise (IoCs) associated with Defray777 are available on GitHub, and have been published to the Unit 42 TAXII feed.
Additional Resources
- New Defray Ransomware Targets Education and Healthcare Verticals
- This Particular Ransomware Group is Going Unnoticed
- Sprite Spider emerging as one of the most destructive ransomware threat actors
- Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXI Servers With Ransomware to Maximize Impact
- When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777