Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Philadelphia” Ransomware Targets Healthcare Industry

A newly observed ransomware family is being used in attacks against organizations in the healthcare industry, Forcepoint security researchers reveal.

A newly observed ransomware family is being used in attacks against organizations in the healthcare industry, Forcepoint security researchers reveal.

Dubbed Philadelphia, the malware is a variant of the Stampado malware that emerged last year as one of the cheapest ransomware families available for would-be cybercriminals. It was being offered at only $39 for a lifetime license, much less than what other threats sold via the ransomware-as-a-service (RaaS) business model cost. An ad for Philadelphia was spotted last month on YouTube.

The Philadelphia ransomware, Forcepoint says, appears to be distributed via spear-phishing emails that contain a shortened URL, and has been already used to infect a hospital from Oregon and Southwest Washington. The link redirects to a personal storage site that serves a malicious DOCX file containing the targeted healthcare organization’s logo to give it an increased sense of legitimacy.

The file includes three document icons allegedly pertaining to patient information, and the intended victim is encouraged to click on any of them. However, once that happens, a malicious JavaScript is triggered to download and execute the Philadelphia ransomware.

After installation, the malware communicates to its command and control (C&C) server to check in. It sends various details on the infected system, including operating system, username, country, and system language, and the C&C responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

Next, the malware starts encrypting user files using AES-256 encryption. Once the process has been completed, the ransomware displays a window informing users that their files have been encrypted and urging them to pay 0.3 Bitcoins to a specific address.

According to Forcepoint, not only did the cybercriminals use a tailored bait targeting a specific healthcare organization in their attack, but the encrypted JavaScript they used contained the string “hospitalspam” in its directory path. Moreover, the C&C server also contained “hospital/spam” in its path.

This would suggest that the actor is specifically targeting hospitals using spear phishing emails for distribution, the researchers say. The campaign supposedly started in the third week of March.

Advertisement. Scroll to continue reading.

“Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,” Forcepoint concludes.

Related: These Were the Top Threats Targeting Healthcare Firms in Q4 2016

Related: Lifetime License for Stampado Ransomware: $39

Related: When Ransomware Hits Healthcare: To Pay or Not to Pay?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.