How to Remove Defray Ransom

Defray is a Trojan horse that encrypts files on the compromised computer and demands a payment to decrypt the and was discovered on August 28, 2017. It can affect Windows 7, 8 and 10 systems and the risk level is Very Low

The Trojan may arrive as a file embedded in malicious Microsoft Word documents attached to email messages.

When the Trojan is executed, it creates the following file in each directory where it encrypts files:

  • [PATH TO ENCRYPTED FILES]\FILES.TXT

The Trojan encrypts files with the following extensions:

  • .001
  • .3ds
  • .7zip
  • .abr
  • .accdb
  • .afi
  • .arw
  • .asm
  • .bkf
  • .c4d
  • .cab
  • .cbm
  • .cbu
  • .class
  • .cls
  • .cpp
  • .cr2
  • .crw
  • .csh
  • .csv
  • .dat
  • .dbx
  • .dcr
  • .dgn
  • .djvu
  • .dll
  • .dng
  • .doc
  • .docm
  • .docx
  • .dwfx
  • .dwg
  • .dxf
  • .exe
  • .fla
  • .fpx
  • .gdb
  • .gho
  • .ghs
  • .hdd
  • .html
  • .iso
  • .iv2i
  • .java
  • .key
  • .lcf
  • .lnk
  • .matlab
  • .max
  • .mdb
  • .MDF
  • .mdi
  • .mrbak
  • .mrimg
  • .mrw
  • .nef
  • .NRG
  • .odg
  • .ofx
  • .orf
  • .ova
  • .ovf
  • .pbd
  • .PBF
  • .pcd
  • .pdf
  • .php
  • .pps
  • .ppsx
  • .ppt
  • .pptx
  • .pqi
  • .prn
  • .psb
  • .psd
  • .pst
  • .ptx
  • .pvm
  • .pzl
  • .qfx
  • .qif
  • .r00
  • .raf
  • .rar
  • .raw
  • .reg
  • .rw2
  • .s3db
  • .skp
  • .spf
  • .spi
  • .sql
  • .SQLITE
  • .sqlite-journal
  • .SQLITE2
  • .SQLITE3
  • .SQLITEDB
  • .stl
  • .sup
  • .SVG
  • .swift
  • .tib
  • .txf
  • .u3d
  • .UIF
  • .v2i
  • .vcd
  • .vcf
  • .vdi
  • .vhd
  • .vmdk
  • .vmem
  • .vmwarevm
  • .vmx
  • .vsdx
  • .wallet
  • .win
  • .WMF
  • .xls
  • .xlsm
  • .xlsx
  • .zip

The Trojan then overwrites the files. It does not append a new extension to the end of encrypted file names.

Next, the Trojan connects to the following command and control (C&C) servers:

  • defrayable-listings.000webhostapp.com
  • kinaesthetic-electr.000webhostapp.com

The Trojan deletes volume shadow copies.

The Trojan then displays a ransom note demanding payment in Bitcoin for the files to be decrypted.

Leave a Reply