Remove Defray Ransomware - Restore Data

Remove Defray Ransomware (Glushkov) – Restore Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will help you to remove Defray ransomware completely. Follow the ransomware removal instructions given at the end.

Defray is a ransomware virus targeting healthcare and educational organizations. The cryptovirus was dubbed “Defray” by researchers from Proofpoint, who were the first to discover this malware. They named it after one of the C2 (Command and Control) servers related with the threat. To defray means to give money to pay for an expense, which is appropriate here, since a ransom sum of 5,000 US dollars is demanded as payment. The Defray virus stores its ransom note message inside two text files. The files are filled with instructions about paying the abovementioned ransom for supposedly restoring your files. Read on below to see how you could try to potentially restore some of your data.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe Defray ransomware targets large organizations and encrypts their files and then displays a ransom message afterward, demanding 5,000 US dollars.
SymptomsThe ransomware will encrypt files and put up a ransom note inside two text files.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Defray


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Defray.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Defray Ransomware (Glushkov) – Infection Spread

Defray ransomware could spread its infection with various methods. The most current spread method is via fake Microsoft Word documents. The documents are attached to spam e-mails which are cleverly crafted to appeal to specific organizations. The campaigns are thin and the messages that are used are custom. Below you can view two of the most common documents and how they look like from the inside:

Images Source: Proofpoint

Inside these Microsoft Word file there is an embedded executable and according to Proofpoint – “an OLE packager shell object”. Clicking on the executable will trigger the payload dropper and consequently, execute the Defray ransomware. Some researchers have uploaded a malware sample on the VirusTotal service. You can see the detections of different security software there:

Defray ransomware might also distribute its payload file with other methods in the future. Refrain from opening files or clicking on them before scanning them with a security program. You should also check their size and signature for anything that seems suspicious. You should read the ransomware prevention tips thread in the forum.

Defray Ransomware (Glushkov) – Technical Overview

Defray is how Proofpoint researchers dubbed a ransomware virus that its own developers didn’t want to name. The name comes from one of the C2 (Command and Control) servers associated with the virus, specifically “defrayable-listings”. The malware encrypts files and extorts you to pay a ransom to supposedly recover them. For the moment organizations related to healthcare and education have been targeted as well as one big aquarium. The attacks are mostly targeting the United Kingdom and America.

Defray ransomware might make entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows Operating System.

The ransom note can be previewed below, in the following screenshot:

The message is placed inside two files:

  • FILES.txt
  • HELP.txt

Their content reads the following:

Don’t panic, read this and contact someone from IT department.
Your computer has been infected with a virus known as ransomware.
All files including your personal or business documents, backups and projects are encrypted.
Encryption is very sophisticated and without paying a ransom you won’t get your files back.
You could be advised not to pay, but you should anyway get in touch with us.
Ransom value for your files is 5000$ to be paid in digital currency called Bitcoin.
If you have questions, write us.
If you have doubts, write us.
If you want to negotiate, write us.
If you want to make sure we can get your files back, write us.

In case we don’t respond to an email within one day, download application called BitMessage and reach to us for the fastest response.
BitMessage BM-2cVPRqFb5ZRaMuYdryqxsMNxFMudibvnY6


To someone from IT department

This is custom developed ransomware, decrypter won’t be made by an antivirus company. This one doesn’t even have a name. It uses AES-256 for encrypting files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity. It’s written in C++ and have passed many quality assurance tests. To prevent this next time use offline backups.


As seen above, the following three e-mails have been given for contacting the cybercriminals:

  • glushkov®

From these e-mails some researchers also refer to the cryptovirus as “Glushkov” ransomware.

The note of the Defray ransomware states that data is encrypted. You are demanded to pay 5,000 US dollars in the Bitcoin cryptocurrency. However, you should NOT under any circumstances pay the ransom sum. Your data may not get restored, and nobody could give you a guarantee for that. Furthermore, giving money to cybercriminals will most likely motivate them to create more ransomware viruses or do other criminal activities.

Defray Ransomware (Glushkov) – Encryption Process

The encryption process of the Defray ransomware is seems to be using a custom structure. According to the ransom note, the utilized encryption sequence is the following:

“AES-256 is used for encrypting the files, RSA-2048 for storing encrypted AES-256 password and SHA-2 for keeping the encrypted file integrity.”

The targeted extensions of files which are sought to get encrypted are listed right down here:

→.001, .3ds, .7zip, .MDF, .NRG, .PBF, .SQLITE, .SQLITE2, .SQLITE3, .SQLITEDB, .SVG, .UIF, .WMF, .abr, .accdb, .afi, .arw, .asm, .bkf, .c4d, .cab, .cbm, .cbu, .class, .cls, .cpp, .cr2, .crw, .csh, .csv, .dat, .dbx, .dcr, .dgn, .djvu, .dng, .doc, .docm, .docx, .dwfx, .dwg, .dxf, .exe, .fla, .fpx, .gdb, .gho, .ghs, .hdd, .html, .iso, .iv2i, .java, .key, .lcf, .lnk, .matlab, .max, .mdb, .mdi, .mrbak, .mrimg, .mrw, .nef, .odg, .ofx, .orf, .ova, .ovf, .pbd, .pcd, .pdf, .php, .pps, .ppsx, .ppt, .pptx, .pqi, .prn, .psb, .psd, .pst, .ptx, .pvm, .pzl, .qfx, .qif, .r00, .raf, .rar, .raw, .reg, .rw2, .s3db, .skp, .spf, .spi, .sql, .sqlite-journal, .stl, .sup, .swift, .tib, .txf, .u3d, .v2i, .vcd, .vcf, .vdi, .vhd, .vmdk, .vmem, .vmwarevm, .vmx, .vsdx, .wallet, .win, .xls, .xlsm, .xlsx, .zip

The Defray cryptovirus is set to disable startup recovery. Also, it erases all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

The above-stated command is executed and that makes the encryption process even more efficient. That is due to the fact that the command eliminates one of the prominent ways to restore your data. If your computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially recover your files.

Remove Defray Ransomware (Glushkov) and Restore Data

If your computer got infected with the Defray ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share