Cylance vs. Philadelphia Ransomware

Background and Timeline

Now that attackers realize the financial benefits of ransomware – and enterprises are, unfortunately, often willing to pay instead of waiting for an investigation – the advent of easy-to-distribute ransomware is on an astronomical upward trajectory.

As Cylance detailed in February, 2017, the Satan ransomware-as-a-service (RaaS) variety showed how easy it is for anyone to distribute ransomware and hold individuals and enterprises hostage.

Today, our Threat Guidance team examines Philadelphia ransomware in our Threat Spotlight blog series. Offered by the same inventor as Stampado, Philadelphia is available online for only $300. For this low price, owners get a payload builder and server component to communicate with (unlock) the endpoints. The bar just keeps getting lower for these RaaS online offerings – creating criminal “hackers” out of anyone with enough cash and greed to hold an organization hostage for their own financial gain.

How Is It Delivered? What Does It Do?

Much like other ransomware, Philadelphia ransomware can be embedded in weaponized Office documents and delivered via phishing emails – or more recently, sent as a link to a server included in an email message (to evade email scanning tools).

In a curious twist, both researchers and victims have recently observed a trend of the attackers themselves personally planting the malicious payload on servers and detonating it, utilizing delivery methods such as rogue USB drives, which can either be inserted by an attacker, or by planting a USB drive on the grounds of the target institution. In 70% of cases, employees who found the ‘lost’ USB drive would unthinkingly plug it directly into their laptop to view the contents. This method of attack is especially high for servers and endpoints inside demilitarized zones (DMZ) at healthcare providers, financial institutions, and media companies. Even if employees are (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by The Cylance Team. Read the original post at: