Cybercriminals are conducting targeted attacks on U.S. healthcare organizations using Philadelphia ransomware; a relatively new ransomware variant developed from Stampedo ransomware.
Philadelphia ransomware was first seen in September 2016, although recently, a new campaign has been detected that has already seen two U.S hospitals have sensitive files encrypted.
The actors behind the latest attacks are targeting physicians using spear phishing emails. Information about targets can be easily found on social media accounts with a little research. Information is gathered on an organization and campaigns crafted to maximize the chance of infection. In this case, the attackers use logos and names of physicians who work at the targeted hospital to add credibility to documents and increase the probability of infection.
The ransomware encrypts a wide range of file types using AES-256 encryption and victims are warned that the failure to pay promptly will see files deleted at a rate of 10 an hour. A countdown clock is activated when the ransom note is accessed. Victims are also instructed not to turn off their computer otherwise the decryption key will be permanently deleted. Victims are required to make a payment of 0.3 Bitcoin for each infected machine.
A public decryptor has been developed to unlock files infected by Philadelphia ransomware. The decryptor is available through Emisoft and downloadable via Softpedia. Fast action is needed regardless of which option is taken. The ransomware will randomly delete files after an hour has elapsed. If a backup does not exist, deleted files will be permanently lost even if a ransom is paid.
Forcepoint notes that this campaign is likely to be run by an affiliate rather than the ransomware author. Philadelphia ransomware is being offered under a ransomware-as-a-service model. Anyone willing to pay the author a sum of $400 can rent out the ransomware and conduct their own campaigns. The ransomware can also be easily customized to suit the user’s requirements. The author has even created a video showing how easy it is to use the ransomware and conduct attacks. Little technical skill is required.
These RaaS kits allow many actors to conduct attacks and a number of ransomware authors have started offering their malicious software under such an affiliate model. With more individuals able to conduct attacks, ransomware infections are likely to increase.
Organizations should therefore ensure that they have viable backups of all sensitive data and are able to rapidly implement a ransomware response plan.