Philadelphia Ransomware
Posted: September 9, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 3,003 |
First Seen: | September 9, 2016 |
---|---|
Last Seen: | December 3, 2020 |
OS(es) Affected: | Windows |
The Philadelphia Ransomware is an update of the Stampado Ransomware and, like that threat also encrypts your files so that it can bargain for their restoration after you pay a ransom. Different builds of the Philadelphia Ransomware may target different types of data or install themselves through differing methods, although malware experts did verify the use of e-mail spam in the initial waves. Ideal recovery scenarios from this threat include deleting the Philadelphia Ransomware with your favored anti-malware product and restoring it from a remote, non-encrypted backup.
It's Always Raining Trojans in the Philadelphia
The tension between the PC security industry and threat authors trying to profit off of various vulnerabilities can be said to be at its most visible after the release of an update or variant of an old, previously cracked Trojan. When researchers at Emsisoft found weaknesses that allowed them to develop free decryption solutions for the Stampado Ransomware, its author responded by inserting insults into the code of the Trojan's next update. Now, he's providing a brand new Trojan to any fellow con artists willing to pay the four hundred USD fee: Philadelphia Ransomware, the successor to Stampado Ransomware.
The Philadelphia Ransomware is in the wild with its author claiming to compromise twenty thousand separate PCs in the first day, with its infection vector using e-mail attachments disguising themselves as payment warnings from the Brazilian Ministry of Finance. Opening the 'document' redirects the victim to a Java-based application that installs the Philadelphia Ransomware.
A third-party threat actor controls some of the details of the Philadelphia Ransomware's configuration via the 'the Philadelphia Headquarters' utility. Current versions of the Philadelphia Ransomware include removable devices and network-based drives in its sweep for files to encrypt. Currently, malware experts corroborate its targeting thirty-three formats, including DOC, JPG, PPT, RAR, TXT, and ZIP. The Trojan also includes a hefty assortment of other, optional features, which may vary on a build-to-build basis (such as compromising other PCs over networks, deleting files via a 'Russian roulette' feature, or decrypting content automatically).
Sending the Trojan from Philly Back Home Penniless
Two of the Philadelphia Ransomware's most unorthodox features include its bridge-based communications infrastructure, which leverages PHP script-based distributed networks, and its 'give mercy' button that lets a con artist decrypt the victim's files without charging a ransom. However, in the Rainmaker's haste to innovate with his new product, he also introduced vulnerabilities into the Philadelphia Ransomware campaign that could help the PC sector's tracking of its activities. Early research into the possibility of cracking the Philadelphia Ransomware's encryption algorithm and creating a free decryptor also is favorable.
PC users in possession of valuable files should avoid depending on the generosity of con artists for recovering that content. Using backups on a secure cloud server or device left detached from the infected system can offer means of data restoration without needing to decrypt anything. Victims also can wait for the PC security sector to create a free decryption tool.
The Philadelphia Ransomware may block an infected PC's desktop with its ransom message. Use standard anti-malware strategies and software, such as booting into Safe Mode and, then, scan your PC, to uninstall the Philadelphia Ransomware. Although the Rainmaker intends the Philadelphia Ransomware to be the next 'big thing' in his threat business, all initial signs point to its being shut down by a combination of good security practices and the active efforts of the security community.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%APPDATA%\Isass.exe
File name: Isass.exeSize: 1.02 MB (1029120 bytes)
MD5: 129854e541ab32b998abeb87dd25a645
Detection count: 2,644
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: August 1, 2017
%APPDATA%\Isass.exe
File name: Isass.exeSize: 551.93 KB (551936 bytes)
MD5: 94910a42606413fdeb9b44346b5741c0
Detection count: 204
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: August 8, 2019
%APPDATA%\Isass.exe
File name: Isass.exeSize: 828.79 KB (828799 bytes)
MD5: ce4752100c2f9adb14e6603dffeb203a
Detection count: 68
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: June 13, 2017
file.exe
File name: file.exeSize: 115.84 KB (115846 bytes)
MD5: 33473f907c07244158560c052a930634
Detection count: 20
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: May 3, 2017
%APPDATA%\Isass.exe
File name: Isass.exeSize: 605.37 KB (605373 bytes)
MD5: 741ed2478baaa8fd28d626bbaf7b5156
Detection count: 19
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: August 1, 2017
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.