Defray targets Windows OS and is distributed via emails containing malicious Microsoft Word attachments. In August 2017, cybersecurity firm Proofpoint detected two small email campaigns containing Defray targeting individuals and distribution lists within the US and UK healthcare and education sectors, as well as the manufacturing and technology sectors. These malicious email campaigns are customized with documents named patient_report.doc and presentation.doc to appeal to potential victims in an attempt to fool them into opening up the attachment and launching the ransomware. If the attachment is opened, the ransomware - named after a common Windows process - executable is dropped into the %TEMP% folder and launched. Defray contacts its C2 server to send information about the infected system back to the hacker behind the campaign and targets specific files types for encryption. It does not modify the file names or append any extensions. After the encryption process is complete, Defray drops a ransom note named FILES.txt or HELP.txt on various folders throughout the infected system. Proofpoint researchers suggest that this variant may also be capable of disabling the startup recovery process and deleting Shadow Volume Copies, as well as killing any software with a GUI that is currently running during the time of infection. Defray demands a ransom payment of $5000 worth of Bitcoin.

Email addresses associated with Defray:,,

  • Proofpoint provides additional information on Defray here.
  • The NJCCIC is not aware of any free decryption tools available for Defray.

Image Source: Proofpoint