A new ransomware variant was discovered in the wild targeting the healthcare and education industries by security firm Proofpoint.

The hackers who launched Defray -- a previously undocumented ransomware strain -- is using selectively targeted attacks for distribution. So far, Proofpoint researchers have seen just two small attacks, but more may be coming soon.

Defray appears to be following the recent trend of targeted, customized attacks, according to researchers.

[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]

The virus is being spread by Microsoft Word document attachments in emails -- which is pretty standard when it comes to ransomware.

But what makes Defray stand out are its lures: These are custom crafted to appeal to intended victims. Of the emails found by Proofpoint, the infected attachments go as far as to include the hospital’s logo and writes to the user as the director of information management and technology from the hospital.

[Also: Google: Ransomware victims paid $25 million to hackers]

The recipients are individuals found on distribution lists, like groups and web support, and emails are crafted to fit the intended victim.

The ransomware note asks for up to $5,000 in payment to unlock the infected files. But Proofpoint said the hackers provide an email for victims to potentially negotiate a smaller ransom or ask questions.

[Also: The biggest healthcare breaches of 2017 (so far)]

Further, the targeting is narrow and selective -- with campaigns as small as several messages each. This is much different than the more common “spray and pray” campaigns leveraged by the notorious Locky variant and others.

In these campaigns, hackers pummel the targeted sector or group with massive campaigns. Defray is much more targeted and honed into its victims, which makes it even harder to spot.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com