Proofpoint threat researchers identified a "previously undocumented ransomware strain," which demands up to $5,000 in bitcoin from its targets, according to a company blog post Aug. 24.
Here are four things to know about the ransomware variant.
1. Proofpoint researchers opted to name the variant "Defray," based on the command and control server hostname from the first attack they observed, which began with the term "defrayable-listings."
However, in a ransom note obtained by Proofpoint, the cybercriminals distributing the malware wrote, "This is custom developed ransomware, decrypter won't be made by an antivirus company. This one doesn't even have a name."
2. The researchers have observed two targeted attacks distributing the ransomware in August. One attack targeted the healthcare and education industries, while another targeted the manufacturing and technology industries. Both targeted organizations in the U.S. and the United Kingdom.
3. In an Aug. 22 email campaign, cybercriminals delivered email messages with malware embedded in a Microsoft Word attachment. The email message claimed to be from a U.K. hospital's information management and technology director and the attachment used the hospital's logo.
4. Proofpoint researchers noted the email campaigns were "narrow and selective," using specific language and images to target its victims. The "campaigns" are as small as only several messages each.
"Defray Ransomware is somewhat unusual in its use in small, targeted attacks," the blog post reads. "Although we are beginning to see a trend of more frequent targeting in ransomware attacks, it still remains less common than large-scale 'spray and pray' campaigns."
Click here to view the blog post.