Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry.
Last month the popular expert Brian Krebs discovered on YouTube an ad Philadelphia.
According to the researchers, thePhiladelphia ransomware is distributed via spear-phishing emails sent to the hospitals. The messages contain a shortened URL that points to a personal storage site that serves a weaponized DOCX file containing the targeted healthcare organization’s logo.
The file includes three document icons apparently related to patient information, and attempt to trick victims to click on them.
This tactic was already used to infect a hospital from Oregon and Southwest Washington.
“However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.” reads the analysis published by ForcePoint.
“In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization as bait.”
Once the ransomware infected the system it contacts the C&C server and sends various details on the target machine, including operating system, username, country, and system language. The C&C server responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.
The Philadelphia ransomware used AES-256 to encrypt the files, when the operation is completed it displays a request for 0.3 Bitcoins ransom to the victims.
The analysis of the malicious code revealed a couple of interesting things:
The presence of the words suggests the attackers are specifically targeting hospitals using spear phishing emails.
“Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business” concluded Forcepoint. “Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,”
(Security Affairs –Philadelphia ransomware, healthcare)