Defray

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Defray is a malicious threat actor group, also known as Hive0091, that operates various ransomware strains such as Defray, Ryuk, and BitPaymer. They are also responsible for the RansomExx operation, PyXie malware, and Vatet loader. The cybersecurity industry identifies this group as a significant player in the execution of actions with harmful intent. These operations can lead to severe consequences for targeted entities, including data loss, operational disruption, and reputational damage. In May 2023, the newly emergent MichaelKors ransomware-as-a-service (RaaS) operation began targeting VMware ESXi and Linux systems. This move followed similar tactics employed by several ransomware gangs, including Defray, ALPHV/BlackCat, ESXiArgs, LockBit, Play, Rook, Black Basta, and Rorschach. The continued evolution of these e-crime outfits signifies an increasing threat to organizations worldwide, particularly those relying on vulnerable platforms like VMware ESXi and Linux systems. Despite the financial cushion provided by cyber insurance policies to defray recovery costs, they cannot restore lost data, disrupted operations, or damaged reputation. As Dirk Schrader, VP of Security Research at Netwrix, points out, the impact of security incidents extends beyond immediate financial losses. Therefore, organizations need to prioritize resilient security measures, including defenses against advanced threats like AI-powered phishing, to protect their assets and operations effectively.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Esxiargs
1
The ESXiArgs campaign was a significant cybersecurity event where an unknown ransomware group targeted VMware ESXi environments. The attackers exploited CVE-2021-21974, a vulnerability that was two years old at the time of the attacks. The campaign involved several ransomware groups such as Royal, B
Defrayx
1
None
Hive0091
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Vmware
Linux
Esxiargs
Malware
Loader
Singapore
RaaS
Esxi
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RookUnspecified
1
Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransom
Rorschach RansomwareUnspecified
1
The Rorschach ransomware, also known as BabLock, is a new and unique strain of malware that was first identified by Check Point Research (CPR) and the Check Point Incident Response Team (CPIRT) in April 2023. The ransomware, which was named after the famous psychological test due to its varied appea
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
RorschachUnspecified
1
Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe
BitPaymerUnspecified
1
BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model tha
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
1
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Defray Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Establishing Business Continuity in the Aftermath of a Ransomware Attack | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
8 months ago
Commentary: How will money changers fare in a world of multi-currency apps?
CERT-EU
a year ago
68% of organisations experienced a known cyberattack within the last 12 months
Secureworks
a year ago
Ransomware Evolution
DARKReading
a year ago
Netwrix Annual Security Survey: 68% of Organizations Experienced a Cyberattack Within the Last 12 Months
CERT-EU
a year ago
New 'MichaelKors' Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems
CERT-EU
a year ago
Royal ransomware attack recovery in Dallas to take weeks
CERT-EU
a year ago
In focus: MDR for finance
SecurityIntelligence.com
a year ago
RansomExx Upgrades to Rust
CERT-EU
a year ago
VMware ESXi, Linux systems targeted by new MichaelKors RaaS operation | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting