Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Philadelphia Ransomware, a new threat targets the Healthcare Industry

“Philadelphia” Ransomware Targets Healthcare Industry Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry. The Philadelphia ransomware is a variant of the Stampado ransomware, a very cheap malware offered for sale on the Dark Web since June 2016 at just 39 USD for a lifetime license. Last month the popular expert Brian […]

Philadelphia Ransomware, a new threat targets the Healthcare Industry

“Philadelphia” Ransomware Targets Healthcare Industry

Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry.

The Philadelphia ransomware is a variant of the Stampado ransomware, a very cheap malware offered for sale on the Dark Web since June 2016 at just 39 USD for a lifetime license.

Last month the popular expert Brian Krebs discovered on YouTube an ad Philadelphia.

According to the researchers, thePhiladelphia ransomware is distributed via spear-phishing emails sent to the hospitals. The messages contain a shortened URL that points to a personal storage site that serves a weaponized DOCX file containing the targeted healthcare organization’s logo.

The file includes three document icons apparently related to patient information, and attempt to trick victims to click on them.

Philadelphia ransomware

If the victims click on the icon, a Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.

This tactic was already used to infect a hospital from Oregon and Southwest Washington.

“However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.” reads the analysis published by ForcePoint.

“In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization as bait.”

“three document icons pertaining to patient information are present in the file. These icons all point to a malicious JavaScript” “Once the user double-clicks any of the icons, the Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.”

Philadelphia ransomware

Once the ransomware infected the system it contacts the C&C server and sends various details on the target machine, including operating system, username, country, and system language. The C&C server responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

The Philadelphia ransomware used AES-256 to encrypt the files, when the operation is completed it displays a request for 0.3 Bitcoins ransom to the victims.

The analysis of the malicious code revealed a couple of interesting things:

  • the encrypted JavaScript contained a string “hospitalspam” in its directory path.
  • the ransomware C&C also contained “hospital/spam” in its path.

The presence of the words suggests the attackers are specifically targeting hospitals using spear phishing emails.

“Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business” concluded Forcepoint. “Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Philadelphia ransomware, healthcare)