Threat Spotlight: Philadelphia Ransomware

Introduction

It has been increasingly popular for malware authors to create and sell various frameworks to create ransomware easily. With an estimated 752% increase in new ransomware families in 2016, both Ransomware-as-a-Service (RaaS) models such as Satan, or one-time license models like Philadelphia make it trivially easy for those with enough money and absolutely no coding experience to create and distribute ransomware indiscriminately. In a recent blog post, Forcepoint Security examined a Philadelphia sample that was leveraged in a spearfishing attack on a hospital in the Pacific Northwest, although it’s unclear at this moment whether this attack was successful.

The emerging threat becomes clear: criminals with no programming knowledge are now able to target any organization or person with minimal effort. And what better way to maximize the payout than to target those industries where lives immediately depend on network connected devices that can be ransomed?

The Philadelphia ransomware is one of the latest in a rash of do-it-yourself ransomware frameworks that have become recently available. The Threat Guidance Team located a copy of the builder for this threat on the dark web and took a closer look to discover what makes this ransomware different.

Philadelphia Ransomware Origins

At the time of writing, the Philadelphia builder can be found for sale by the same author of Stampado ransomware for $300.00 for a lifetime license.

Figure 1. Philadelphia Builder Advertisement

The builder generates obfuscated AutoIt payloads that can be optionally packed with a built-in UPX packer. AutoIt is a scripting language that is popular among sysadmins to create tools for legitimate administrative tasks due to its ease of use and ability to be compiled into standalone executables.

One feature that sets Philadelphia apart is the use of PHP bridges to administer infected machines. From the authors website:

“It’s (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog