Philadelphia Ransomware Used in Targeted Attacks on US Hospitals

Cybercriminals are conducting targeted attacks on U.S. healthcare organizations using Philadelphia ransomware; a relatively new ransomware variant developed from Stampedo ransomware.

Philadelphia ransomware was first seen in September 2016, although recently, a new campaign has been detected that has already seen two U.S hospitals have sensitive files encrypted.

The actors behind the latest attacks are targeting physicians using spear phishing emails. Information about targets can be easily found on social media accounts with a little research. Information is gathered on an organization and campaigns crafted to maximize the chance of infection. In this case, the attackers use logos and names of physicians who work at the targeted hospital to add credibility to documents and increase the probability of infection.

The spear phishing emails contain a shortened hyperlink which if clicked, will trigger the download of a Word document. The document contains icons which appear to link to patient health information; however, double clicking any of the icons will result in JavaScript code being run which will download the ransomware.

The ransomware encrypts a wide range of file types using AES-256 encryption and victims are warned that the failure to pay promptly will see files deleted at a rate of 10 an hour. A countdown clock is activated when the ransom note is accessed. Victims are also instructed not to turn off their computer otherwise the decryption key will be permanently deleted. Victims are required to make a payment of 0.3 Bitcoin for each infected machine.

A public decryptor has been developed to unlock files infected by Philadelphia ransomware. The decryptor is available through Emisoft and downloadable via Softpedia. Fast action is needed regardless of which option is taken. The ransomware will randomly delete files after an hour has elapsed. If a backup does not exist, deleted files will be permanently lost even if a ransom is paid.

The latest campaign was detected by researchers at Forcepoint who noted they discovered a reference to hospitalspam in the JavaScript and a folder called hospitalspam on the ransomware C2, indicating the attacks were part of a broader campaign.

Forcepoint notes that this campaign is likely to be run by an affiliate rather than the ransomware author. Philadelphia ransomware is being offered under a ransomware-as-a-service model. Anyone willing to pay the author a sum of $400 can rent out the ransomware and conduct their own campaigns. The ransomware can also be easily customized to suit the user’s requirements. The author has even created a video showing how easy it is to use the ransomware and conduct attacks. Little technical skill is required.

These RaaS kits allow many actors to conduct attacks and a number of ransomware authors have started offering their malicious software under such an affiliate model. With more individuals able to conduct attacks, ransomware infections are likely to increase.

Organizations should therefore ensure that they have viable backups of all sensitive data and are able to rapidly implement a ransomware response plan.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of