What is Philadelphia Ransomware?
A new form of ransomware called Philadelphia has recently been threatening hospitals, health systems, and other businesses. Philadelphia is particularly interesting for its marketing and business model, dubbed Ransomware-as-a-Service by Sophos.
Ransomware is malicious software that locks users out or encrypts files so that they are inaccessible—until the victim pays a ransom, and receives a decryption key. It typically targets individuals and small-to-medium-sized businesses, but Philadelphia and others are increasingly targeting hospitals and health systems.
Philadelphia rides in on email
Philadelphia is a new ransomware variant that was first detected in September 2016. Philadelphia (the name is just a brand name, with no connection to the city) is a customizable piece of software that can be purchased online (on the Dark Web), and has been used to attack hospitals in Oregon and Washington State.
A variant of an earlier ransomware, Stampado, Philadelphia infects a hospital system via a seemingly legitimate email from another employee. The email contains a link that downloads the malicious code. The software then locks files and sends a ransom note. It can randomly delete files to raise the cost of delay.
The creators of Philadelphia are not the ones who use it to extort money from hospitals, and it’s the way they find buyers of their product that makes this piece of ransomware interesting.
A new marketing model: Ransomware-as-a-Service
Just when you thought the “XaaS” formulation had gone as far as it could (also known as "anything as a service"), you get RaaS. Philadelphia is really a ransomware kit, sold by an organization that calls itself The Rainmakers Labs for $400—a premium price in a market where most such kits sell for under $200, and often $39.
The Rainmakers Labs looks pretty much like any other software company. It has a website and has developed a promotional video to sell this product. The Philadelphia software has instructions for customization, a detailed Help guide, and special features, such as a Google maps interface to geographically identify potential targets. It also claims lifetime access and regular software updates.
To find customers, The Rainmakers Labs advertises the product on forums and websites where cybercriminals exchange information, as well as running a spam campaign on the Jabber messaging platform.
And, just like legitimate software vendors, they are the victims of software pirates who sell knockoff versions of Philadelphia in forums similar to the ones the company uses.
The Dark Web
The term “Dark Web” sounds more dramatic than it turns out to be. Dark Web sites use anonymity software Tor, or another tool, I2P, to conceal the IP addresses of the servers that run them. Despite the name, they are publicly visible—but who hosts them, and where, is hidden. Thus, The Rainmakers Labs can have a website to promote products, but remain anonymous.
Health care: a new market segment for ransomware
Businesses vary in how valuable a target they are to ransomware, and, lately, hospitals and healthcare organizations have been seeing more than their share of attacks. There are several reasons for this.
Ransomware works by shutting off access to data. Hospitals now rely on their patient data to get their job done. That data involves crucial, time-sensitive information related to patient care. Delays in getting access to that data can put lives at stake. Hospitals are under pressure to regain access.
They have also made themselves vulnerable to attacks.
Philadelphia initially entered computer systems via links that were clicked in spear phishing emails sent to individuals at hospitals.
Spear phishing means the hacker impersonates someone the target knows, or uses other references to seem to be from a known source. Standard email filtering and antivirus software are ineffective against this type of attack.
Healthcare, distributed across many offices and departments, busy, with complex systems, and with many urgent demands, has a lot of exposure to phishing and spear phishing attacks. Hospitals have also been lagging in cybersecurity training, no surprise given the amount of other information their employees handle daily.
However, it's not just hospitals who skimp on proper cybersecurity - businesses in various industries, big or small, fail to make cybersecurity best practices a priority. SMBs are often a target because they can lack the bandwidth and resources to focus on their ransomware protocol.
Businesses need to change their practices
Philadelphia is straightforward to recover from, so attackers may not realize the profits they anticipated. But new variants will inevitably appear.
Most ransomware infections came via phishing emails. As mentioned above, hospitals and SMBs are unusually easy targets for such infections. While behavioral change is difficult, infections will continue to occur until employees stop clicking on links and attachments without proper confirmation.