Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Philadelphia Ransomware Sets Sights on Healthcare

The Philadelphia ransomware has begun targeting healthcare organizations, in a targeted campaign likely carried out by amateurs.

According to Forcepoint researcher Roland Dela Paz, the attack involves using Philadelphia—an off-the-shelf ransomware—as the payload in a spear-phishing campaign. A shortened URL is used as a lure. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious document that contains the targeted healthcare organization's logo and a signature of a medical practitioner from that organization as bait. Three document icons pertaining to patient information are present in the file—and if a user clicks any of them, the ransomware is executed.

The gambit has already been used to infect a hospital from Oregon and Southwest Washington, Dela Paz said.

Philadelphia, believed to be a version of the Stampado malware, is an unsophisticated ransomware-as-a-service (RaaS) kit sold for a few hundred dollars to "anyone who can afford it," Dela Paz notes. As such, it lowers the barrier to entry significantly for bad actors. Independent researcher Brian Krebs even found a mass-market video advertisement for it on YouTube.

“Being inclined to paying ransom to recover patient data, the healthcare sector became a low-hanging fruit for seasoned ransomware operators looking to maximize profit, such as those behind the Locky ransomware,” said Dela Paz, in an analysis. “However, it appears that amateur cyber-criminals have also started to shift towards this trend.”

He pointed out that a teenager was identified as a suspect for operating Philadelphia just last month.

This particular campaign does show savvy, however, given the tailored bait against a specific healthcare organization.

The encrypted JavaScript in the Pacific Northwest attack contained a string “hospitalspam” in its directory path. Likewise, the ransomware C2 also contained “hospital/spam” in its path. This implies the attack was not an isolated case.

“Individually, this may not be a great deal of an attack towards the healthcare sector,” Dela Paz said. “However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks.”

A public decrypter is available to those who have been infected by Philadelphia.

What’s Hot on Infosecurity Magazine?