top of page

Defray777

Name

Category

Type

Targeted OS

Description

Information

Defray777
Defray
Defray 2018
Target777
Ransom X
RansomExx
Glushkov

Malware

Ransomware
Big Game Hunting

Windows & Linux

(Palo Alto) Defray777 is an elusive family of ransomware also known as Ransom X and RansomExx. Although it has recently been covered in the news as a new family, it has been in use since at least 2018 and is responsible for a number of high-profile ransomware incidents -- as detailed in the articles we linked to.

Defray777 runs entirely in memory, which is why there have been so few publicly discussed samples to date. In several recent incidents, Defray777 was loaded into memory and executed by {{Cobalt Strike}}, which was delivered by the {{Vatet}} loader.

https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/
https://www.trendmicro.com/vinfo/pl/security/news/cyber-attacks/defray-ransomware-sets-sights-on-healthcare-and-other-industries
https://www.csoonline.com/article/3604599/sprite-spider-emerging-as-one-of-the-most-destructive-ransomware-threat-actors.html
https://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/
https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware
https://blogs.blackberry.com/en/2017/09/cylance-vs-defray-ransomware
https://securityintelligence.com/posts/ransomexx-upgrades-rust/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.defray

Alienvault OTX

https://otx.alienvault.com/browse/pulses?q=tag:defray777

Playbook

nil

CISA

Other Information

Mitre

Mitre Techniques

Mitre Techniques  Navigator Link

NIL

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx

NIL

['T1078', 'T1059', 'T1140', 'T1562', 'T1082', 'T1049', 'T1083', 'T1486', 'T1489', 'T1490']

NIL

bottom of page