Philadelphia (ransomware)

Last updated
Philadelphia
Malware details
Type Ransomware
Subtype Cryptoviral extortion
Classification Trojan horse
FamilyStampado
Isolation date2016
AuthorThe Rainmaker
Cyberattack event
DateSeptember 2016
Technical details
Platform Windows
Written in AutoIt [1]

"Philadelphia" is a type of encrypting ransomware malware created in 2016. [2] It was originally sold and distributed by the Brazilian hacker group, The Rainmaker, [3] [4] but has since circulated on the dark web. Like many forms of ransomware, the malware encrypts computer files and gradually deletes them, demanding a bitcoin ransom to decrypt the files and halt the deletion process.

Contents

History

Philadelphia was introduced in September 2016, when it was sold as-a-service by The Rainmaker. [2] Promotion began shortly after its release, using spam campaigns via online forums to encourage sales. [3] According to the National Health Service , following the release, the author has sold 38 copies of the malware, each for $389 USD. [5] It was intended to cause harm and generate income through malicious email attachments, compromised websites, macros, Trojanized downloads, and other illegal methods. It activates when users download the software, which encrypts all local user files. [5] A companion website known as "Philadelphia Headquarters" allows attackers to offer a "mercy" option through the program. If chosen, it decrypts their files for free. [6] [7] The malware features many similarities to Stampado, another type of ransomware.

Attackers often target the healthcare industry, purposely sending spear-phishing emails to hospitals. [8] Roland Dela Paz, a cybersecurity professional, stated that the ransomware affected a hospital in Southwest Washington and one in Oregon. [9]

Reception

Journalist Brian Krebs, on his website, Krebs on Security , described an advertisement for the malware as "fairly chilling." [10] Additionally, noting that the ransomware’s "mercy" feature revolved around pleas from victims who risked losing irreplaceable personal data. Sophos stated that "kits available on the Dark Web allow the least technically savvy among us to do evil." Calling Philadelphia one of the "slickest, most chilling examples."

References

  1. https://www.emsisoft.com/en/ransomware-decryption/philadelphia/
  2. 1 2 "Philadelphia Ransomware | WatchGuard Technologies". www.watchguard.com. 2023-02-25. Retrieved 2026-01-17.
  3. 1 2 "The Rainmaker, Philadelphia and Stampado Ransomware Vendor is Expanding his Services". www.clearskysec.com. Retrieved 2026-01-17.
  4. "Ransomware: Now available with slick marketing". ZDNET. Retrieved 2026-01-17.
  5. 1 2 "Philadelphia ransomware". NHS England Digital. Retrieved 2026-01-17.
  6. "Philadelphia Ransomware Allows Attackers to Offer "Mercy" | Tripwire". www.tripwire.com. Retrieved 2026-01-17.
  7. Abrams, Lawrence. "The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals". BleepingComputer. Retrieved 2026-01-17.
  8. Paganini, Pierluigi (2017-04-07). "Philadelphia Ransomware, a new threat targets the Healthcare Industry". Security Affairs. Retrieved 2026-01-17.
  9. Seals, Tara (2017-04-12). "Philadelphia Ransomware Sets Sights on Healthcare". Infosecurity Magazine. Retrieved 2026-01-17.
  10. "Ransomware for Dummies: Anyone Can Do It – Krebs on Security". 2017-03-03. Retrieved 2026-01-17.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.