MALWARE FAMILY💰 FINANCIALHIGH

Defray

Internal ID: win.defray
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:

According to Proofpoint:

"

Defray is currently being spread via Microsoft Word document attachments in email

The campaigns are as small as several messages each

The lures are custom crafted to appeal to the intended set of potential victims

The recipients are individuals or distribution lists, e.g., group@ and websupport@

Geographic targeting is in the UK and US

Vertical targeting varies by campaign and is narrow and selective

"

Threat Analysis

Defray is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

Financially motivated threat actors like Defray prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, Defray is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeMalware Family
Motivation💰 financial
Sophisticationhigh
Aliases1

Also Known As

win.defray

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Defray — Malware Family | Threat Intelligence | CTIWATCH.COM