Deconstructing Defray777 Ransomware

Contributors: Sebastiano Mariani • Stefano Ortolani • Baibhav Singh • Giovanni Vigna • Jason Zhang • Brian Baskin • George Allen • Scott Knight  

Recently, reports surfaced describing ransomware attacks targeting VMware ESXi servers. While many of these attacks were initially based upon credential theft, the goal was to unleash one of a series of ransomware families, including Defray777 and Darkside, to encrypt the files associated with virtualized hosts.

These families of ransomware are related to examples that the VMware Threat Research teams had seen previously in the wild. Specifically, based upon their ransom notes and file extensions, they appeared to be variants of the RansomEXX ransomware family. In the second half of 2020 these variants of ransomware, including Defray777, have been witnessed targeting both Windows and Linux systems.

These attacks also leveraged several ancillary tools such as downloaders, RATs, and exploitation tools to obtain initial access to a system and spread within the target network.

In the following, we provide a technical description of the Defray777 ransomware and a brief discussion of the other components that have been observed in combination with this malware sample.

What is Defray777?

The version of Defray777 analyzed here is a Linux-based, command-line driven ransomware attack that employs Continue reading