NEW BLOG POST: Upgrading to Windows 10 not only means decreased risk; it also means multi-layered defense against ransomware and other advanced attacks. Read the post
Alert level: Severe Detected with Windows Defender Antivirus
Also detected as: Defray (other)
Windows Defender Antivirus detects and removes this threat.
This ransomware attempts to encrypt files on your PC so they can't be opened or used.
There is no one-size-fits-all response if you have been victimized by ransomware. There is no guarantee that paying the ransom will give you access to your files. If you've already paid, see our ransomware page for help on what to do now.
Run antivirus or antimalware software
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Use cloud protection
Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender Antivirus for Windows 10.
Go to Settings > Update & security > Windows Defender > Windows Defender Security Center > Virus & threat protection and make sure that your Cloud-based Protection settings is turned On.
Prevent malware infections from spam emails
- For enterprise users:
- Follow the appropriate Exchange Online Protection instructions to suit your business needs.
- Learn about how Office 365 can help you block spam using machine learning. See Exchange Online Advanced Threat Protection and First look at Advanced Threat Protection: new tools to stop unknown malware & phishing attacks for details.
- Be aware of the dangers in opening suspicious emails. Don't open email attachments or links from untrusted sources.
- The Microsoft SmartScreen filter can also help detect spam. It’s built-in and enabled by default in Microsoft email programs.
- Submit spam and non-spam messages to Microsoft for analysis.
Get more help
If you’re using Windows XP, see our Windows XP end of support page.
This threat injects its code into common process, including the following Adobe-related processes:
Encrypts your files
This ransomware searches for and encrypts files in all directories except for the following:
In all other folders, it encrypts files with the following extensions:
Unlike many other types of ransomware, after the files are encrypted this ransomware doesn’t rename the newly encrypted file.
Instead, it uses the same name - although the binary is different and the file can not be opened.
For example, if file.png is encrypted by this ransomware, the file will still be called file.png.
The ransomware creates notes in every directory where it encrypts files. We have observed it drop these ransom notes with the following file names:
Deletes backup copies of files
This malware deletes local backup copies. It may attempt to delete or corrupt other backup-related processes, including processes for the following:
- Acronis TIB Mounter
- Comodo Backup
- Google Drive
- Macrium Reflect
Connects to a remote host
This malware communicates with a command and control (C2) server. We have seen it connect to URLs with the subdomain 000webhostapp.com, such as:
Analysis by Carmen Liang
This ransomware attack can be prevented as it is carried by a macro in an email.
For more details about macros, ransomware, advanced persistent threats, and how you can protect your enterprise, see the following report, video, and blog:
- Ransomware FAQ
- Video: Ransomware 101: How to Protect and Mitigate your environment from Malware
- How you can prevent and mitigate ransomware attacks
You can also follow the guidance in this section to help prevent loading and spreading macro-related malware.
Configure your Trust Center to disable macros
Administratively disabling macros can help prevent malware-ridden macros from downloading ransomware or other threats onto your machine or your network.
Disable unsigned macros in Microsoft Office:
- Open the options window in the Office program (in Office 2016, click the File tab and then click Options).
- Click Trust Center and then Trust Center Settings...
- Click Macro Settings and select Disable all macros except digitally signed macros.
- Click OK.
- Repeat this for each Office program.
See the Office support page to Enable or disable macros in Office files for more details.
Use Office 365 Advanced Threat Protection
You can use Office 365's machine learning capability to help your network administrators block dangerous email threats.
The following can indicate that you have this threat on your PC:
- You have these files:
- You can't open your files