Philadelphia Ransomware, a new threat targets the Healthcare Industry

“Philadelphia” Ransomware Targets Healthcare Industry

Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry.

The Philadelphia ransomware is a variant of the Stampado ransomware, a very cheap malware offered for sale on the Dark Web since June 2016 at just 39 USD for a lifetime license.

Last month the popular expert Brian Krebs discovered on YouTube an ad Philadelphia.

According to the researchers, thePhiladelphia ransomware is distributed via spear-phishing emails sent to the hospitals. The messages contain a shortened URL that points to a personal storage site that serves a weaponized DOCX file containing the targeted healthcare organization’s logo.

The file includes three document icons apparently related to patient information, and attempt to trick victims to click on them.

If the victims click on the icon, a Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.

This tactic was already used to infect a hospital from Oregon and Southwest Washington.

“However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.” reads the analysis published by ForcePoint.

“In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization as bait.”

“three document icons pertaining to patient information are present in the file. These icons all point to a malicious JavaScript” “Once the user double-clicks any of the icons, the Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.”

Once the ransomware infected the system it contacts the C&C server and sends various details on the target machine, including operating system, username, country, and system language. The C&C server responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

The Philadelphia ransomware used AES-256 to encrypt the files, when the operation is completed it displays a request for 0.3 Bitcoins ransom to the victims.

The analysis of the malicious code revealed a couple of interesting things:

• the encrypted JavaScript contained a string “hospitalspam” in its directory path.
• the ransomware C&C also contained “hospital/spam” in its path.

The presence of the words suggests the attackers are specifically targeting hospitals using spear phishing emails.

“Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business” concluded Forcepoint. “Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Philadelphia ransomware, healthcare)