Ransomware Threat Assessments: A Companion to the 2021 Unit 42 Ransomware Threat Report

A conceptual image representing ransomware, such as the families covered in this package of ransomware threat assessments.

This post is also available in: 日本語 (Japanese)

Threat Assessment: Defray777 Ransomware

Executive Summary

Defray is a malware family that was first discovered in 2017. It has been seen propagating via small and targeted phishing campaigns that trick users into downloading malicious files such as Microsoft Word documents. Defray777, however, also known as Defray 2018, Target777, Ransom X and RansomEXX, is a much more sophisticated strain of ransomware that has been active since 2018. This newer variant of malware has been seen leveraging novel techniques to undermine detection and is attributed to the threat group referred to as Sprite Spider and GOLD DUPONT.

Defray777 Ransomware Overview

Conceptual image representing Defray777 ransomware as part of the ransomware threat assessments companion to the 2021 Unit 42 Ransomware Threat Report.

Rather than being delivered via common ransomware attack vectors such as phishing campaigns, in 2020, the Defray777 ransomware was delivered in tandem with other tools such as the Vatet loader, PyXie RAT, and Cobalt Strike through low-volume, targeted attacks against multiple organizations.

Figure 1. Screenshot of Defray777 ransom note.
Figure 1. Screenshot of Defray777 ransom note.

Defray777 is unique in that it runs entirely in memory, making it more elusive and harder to track for security researchers. During its execution, Defray777 has the ability to kill certain “undesirable” threads and processes such as powershell.exe, rundll32.exe, vmnat.exe, wefault.exe and explorer.exe. It is capable of encrypting files using AES-256 cryptography while not disrupting a system’s core functionality, and it only runs commands after encryption is completed as a means of evading detection during the encryption process. This effectively makes it so that files are already encrypted by the time security tools, such as EDR platforms, are able to alert on Defray777’s malicious activity. In 2020, Defray777 has evolved to not only target Windows platforms, but Linux as well through a recent port, making it the first ransomware to have a standalone executable across both Windows and Linux. Because of this, threat actors have been able to leverage Defray777 against infrastructure that is capable of running ELF binaries, such as VMWare ESXI servers.

In 2020, Defray777 threat actors targeted the healthcare, education, manufacturing, government, construction and engineering, and high tech sectors in the U.S., Canada, Australia, Japan, France and Brazil. Ransom demands are typically tailored to specific victims.

We previously published a more in-depth analysis of Defray777 ransomware.

More information on Defray777 victimology can be found in the 2021 Unit 42 Ransomware Threat Report.

Courses of Action

This section documents relevant tactics, techniques and procedures (TTPs) used with Defray777 and maps them directly to Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their devices are configured correctly.

Product / Service Course of Action
Initial Access
The below courses of action mitigate the following techniques:
Spearphishing Attachment [T1566.001]
NGFW Set up File Blocking
Threat Prevention Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'
Ensure a secure antivirus profile is applied to all relevant security policies
WildFire Ensure that WildFire file size upload limits are maximized
Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles
Ensure a WildFire Analysis profile is enabled for all security policies
Ensure forwarding of decrypted content to WildFire is enabled
Ensure all WildFire session information settings are enabled
Ensure alerts are enabled for malicious files detected by WildFire
Ensure 'WildFire Update Schedule' is set to download and install updates every minute
Cortex XDR Configure Malware Security Profile
Cortex XSOAR Deploy XSOAR Playbook - Phishing Investigation - Generic V2
Deploy XSOAR Playbook - Endpoint Malware Investigation
Initial Access, Lateral Movement
The below courses of action mitigate the following techniques:
Replication Through Removable Media [T1091]
Cortex XDR Enable Device Control
Privilege Escalation, Defense Evasion
The below courses of action mitigate the following techniques:
Process Injection [T1055]
Cortex XDR Enable Anti-Exploit Protection
Enable Anti-Malware Protection
Defense Evasion, Discovery
The below courses of action mitigate the following techniques:
Masquerade Task or Service [T1036.004], Process Discovery [T1057]
Cortex XDR Configure Behavioral Threat Protection under the Malware Security Profile
The below courses of action mitigate the following techniques:
Data Encrypted for Impact [T1486], Inhibit System Recovery [T1490]
Cortex XSOAR Deploy XSOAR Playbook - Ransomware Manual for incident response.
Deploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation

Table 1. Courses of Action for Defray777 ransomware.
†These capabilities are part of the NGFW security subscriptions service.


Defray777 is a perfect example of how a ransomware family can evolve over time to wreak havoc in entirely new ways. Furthermore, the inception of this newer variant emphasizes that threat actors can remain under the radar by leveraging unique tactics to evade modern methods of detection. The expansion of this ransomware family into affecting additional platforms, such as Linux, could possibly forecast its greater impact in the future.

Palo Alto Networks detects and prevents Defray777 in the following ways:

  • WildFire: All known samples are identified as malware.
  • Cortex XDR with:
    • Indicators for Defray777.
    • Anti-Ransomware Module to detect Defray777 encryption behaviors.
    • Local Analysis detection to detect Defray777 binaries.
  • Next-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which are also categorized as malware in URL Filtering.
  • AutoFocus: Tracking related activity using the RansomX tag.

Additionally, Indicators of Compromise (IoCs) associated with Defray777 are available on GitHub, and have been published to the Unit 42 TAXII feed.

Additional Resources

Back to Top