Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Philadelphia” Ransomware Targets Healthcare Industry

A newly observed ransomware family is being used in attacks against organizations in the healthcare industry, Forcepoint security researchers reveal.

A newly observed ransomware family is being used in attacks against organizations in the healthcare industry, Forcepoint security researchers reveal.

Dubbed Philadelphia, the malware is a variant of the Stampado malware that emerged last year as one of the cheapest ransomware families available for would-be cybercriminals. It was being offered at only $39 for a lifetime license, much less than what other threats sold via the ransomware-as-a-service (RaaS) business model cost. An ad for Philadelphia was spotted last month on YouTube.

The Philadelphia ransomware, Forcepoint says, appears to be distributed via spear-phishing emails that contain a shortened URL, and has been already used to infect a hospital from Oregon and Southwest Washington. The link redirects to a personal storage site that serves a malicious DOCX file containing the targeted healthcare organization’s logo to give it an increased sense of legitimacy.

The file includes three document icons allegedly pertaining to patient information, and the intended victim is encouraged to click on any of them. However, once that happens, a malicious JavaScript is triggered to download and execute the Philadelphia ransomware.

After installation, the malware communicates to its command and control (C&C) server to check in. It sends various details on the infected system, including operating system, username, country, and system language, and the C&C responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

Next, the malware starts encrypting user files using AES-256 encryption. Once the process has been completed, the ransomware displays a window informing users that their files have been encrypted and urging them to pay 0.3 Bitcoins to a specific address.

Advertisement. Scroll to continue reading.

According to Forcepoint, not only did the cybercriminals use a tailored bait targeting a specific healthcare organization in their attack, but the encrypted JavaScript they used contained the string “hospitalspam” in its directory path. Moreover, the C&C server also contained “hospital/spam” in its path.

This would suggest that the actor is specifically targeting hospitals using spear phishing emails for distribution, the researchers say. The campaign supposedly started in the third week of March.

“Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,” Forcepoint concludes.

Related: These Were the Top Threats Targeting Healthcare Firms in Q4 2016

Related: Lifetime License for Stampado Ransomware: $39

Related: When Ransomware Hits Healthcare: To Pay or Not to Pay?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.