The Philadelphia ransomware has begun targeting healthcare organizations, in a targeted campaign likely carried out by amateurs.
According to Forcepoint researcher Roland Dela Paz, the attack involves using Philadelphia—an off-the-shelf ransomware—as the payload in a spear-phishing campaign. A shortened URL is used as a lure. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious document that contains the targeted healthcare organization's logo and a signature of a medical practitioner from that organization as bait. Three document icons pertaining to patient information are present in the file—and if a user clicks any of them, the ransomware is executed.
The gambit has already been used to infect a hospital from Oregon and Southwest Washington, Dela Paz said.
Philadelphia, believed to be a version of the Stampado malware, is an unsophisticated ransomware-as-a-service (RaaS) kit sold for a few hundred dollars to "anyone who can afford it," Dela Paz notes. As such, it lowers the barrier to entry significantly for bad actors. Independent researcher Brian Krebs even found a mass-market video advertisement for it on YouTube.
“Being inclined to paying ransom to recover patient data, the healthcare sector became a low-hanging fruit for seasoned ransomware operators looking to maximize profit, such as those behind the Locky ransomware,” said Dela Paz, in an analysis. “However, it appears that amateur cyber-criminals have also started to shift towards this trend.”
He pointed out that a teenager was identified as a suspect for operating Philadelphia just last month.
This particular campaign does show savvy, however, given the tailored bait against a specific healthcare organization.
The encrypted JavaScript in the Pacific Northwest attack contained a string “hospitalspam” in its directory path. Likewise, the ransomware C2 also contained “hospital/spam” in its path. This implies the attack was not an isolated case.
“Individually, this may not be a great deal of an attack towards the healthcare sector,” Dela Paz said. “However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks.”
A public decrypter is available to those who have been infected by Philadelphia.