A new ransomware strain was discovered by security officials of Forcepoint, Texas that is targeting healthcare organizations. The Philadelphia ransomware is from the Stampado family. This ransomware kit is sold online for a few hundred dollars and attackers demand ransom in form of Bitcoins.
Researchers found that Philadelphia ransomware is transported via spear-phishing emails. Such emails are sent to the hospitals with a message body of a shortened URL that directs towards a personal storage space serving a weaponized DOCX file with the logo of targeted healthcare organization. The employees get trapped and end up clicking on these links that make the ransomware infiltrate in the system.
Image Source: forcepoint.com
Once the ransomware is established in the system, it contacts the C&C server and transfers all the information about the victim computer like operating system, country, system language and username of machine. The C&C server then generates a victim ID, ransom price and Bitcoin wallet ID and sends it over to the targeted machine.
Image Source: funender.com
Okay, everyone knows it’s the largest city in Pennsylvania and blah blah blah… but as far as cyber-crime is concerned, it is also an updated version of the notorious Stampado ransomware type virus. In phishing emails, you may encounter them with fake overdue payment notices. These mails mostly include links to Philadelphia’s websites, which are kept ready with Java applications to install ransomware in your system.
See Also: Top 5 Ransomware Protection Tools
Philadelphia starts encrypting files with various extensions like .doc,.bmp, .avi, .7z, .pdf etc., after a successful intrusion in the system. You can identify an encrypted file locked by Philadelphia with its extension as ‘.locked’. For example, a file in your system with the name of ‘abc.bmp’ would be encrypted and renamed as ‘KD24KIH83483BJAKDF8JDR7.locked’. Once you try to open the encrypted file, ransomware opens a new window with a ransom demanded in message.
The ransom message informs you that the files have been encrypted and you’ve got to pay them to restore. Philadelphia uses an asymmetric encryption algorithm which creates a public (encryption) and private (decryption) keys while encrypting and locking the files. Decrypting the locked files without the private key is like boiling an ocean as they are located on remote servers guarded by cyber criminals.
The window contains two interesting timers: Deadline and Russian Roulette. While deadline timer indicates, the time remaining in getting your private key, the Russian Roulette shows the time to delete the next file (pushing you to buy it without sparing time in searching for help). It is indeed a threat but that’s the only thing about it which is not fake.
Image Source: forbes.com
Can You Avoid this Situation?
Yes. You can be saved from being sawed by Philadelphia ransomware; however, you must keep your computer armed with the best anti ransomware and antimalware. Note that some ransomware might circumvent the best anti ransomware, so the best practice is to become a vigilant user and not click on anything unusual and suspect.
Considering everything, Philadelphia Ransomware can be assumed as a penetrating type of infection. Though it has only targeted the healthcare organizations now but you can be a victim too as the source code of this virus is opened for sale in $400 over the dark web. Any aspiring cyber-criminal may get the code and start hunting for a prey. Keeping your computer immunized and guarded by antimalware and anti-ransomware should help.