Philadelphia Ransomware

The Philadelphia Ransomware is an update of the Stampado Ransomware and, like that threat also encrypts your files so that it can bargain for their restoration after you pay a ransom. Different builds of the Philadelphia Ransomware may target different types of data or install themselves through differing methods, although malware experts did verify the use of e-mail spam in the initial waves. Ideal recovery scenarios from this threat include deleting the Philadelphia Ransomware with your favored anti-malware product and restoring it from a remote, non-encrypted backup.

It's Always Raining Trojans in the Philadelphia

The tension between the PC security industry and threat authors trying to profit off of various vulnerabilities can be said to be at its most visible after the release of an update or variant of an old, previously cracked Trojan. When researchers at Emsisoft found weaknesses that allowed them to develop free decryption solutions for the Stampado Ransomware, its author responded by inserting insults into the code of the Trojan's next update. Now, he's providing a brand new Trojan to any fellow con artists willing to pay the four hundred USD fee: Philadelphia Ransomware, the successor to Stampado Ransomware.

The Philadelphia Ransomware is in the wild with its author claiming to compromise twenty thousand separate PCs in the first day, with its infection vector using e-mail attachments disguising themselves as payment warnings from the Brazilian Ministry of Finance. Opening the 'document' redirects the victim to a Java-based application that installs the Philadelphia Ransomware.

A third-party threat actor controls some of the details of the Philadelphia Ransomware's configuration via the 'the Philadelphia Headquarters' utility. Current versions of the Philadelphia Ransomware include removable devices and network-based drives in its sweep for files to encrypt. Currently, malware experts corroborate its targeting thirty-three formats, including DOC, JPG, PPT, RAR, TXT, and ZIP. The Trojan also includes a hefty assortment of other, optional features, which may vary on a build-to-build basis (such as compromising other PCs over networks, deleting files via a 'Russian roulette' feature, or decrypting content automatically).

Sending the Trojan from Philly Back Home Penniless

Two of the Philadelphia Ransomware's most unorthodox features include its bridge-based communications infrastructure, which leverages PHP script-based distributed networks, and its 'give mercy' button that lets a con artist decrypt the victim's files without charging a ransom. However, in the Rainmaker's haste to innovate with his new product, he also introduced vulnerabilities into the Philadelphia Ransomware campaign that could help the PC sector's tracking of its activities. Early research into the possibility of cracking the Philadelphia Ransomware's encryption algorithm and creating a free decryptor also is favorable.

PC users in possession of valuable files should avoid depending on the generosity of con artists for recovering that content. Using backups on a secure cloud server or device left detached from the infected system can offer means of data restoration without needing to decrypt anything. Victims also can wait for the PC security sector to create a free decryption tool.

The Philadelphia Ransomware may block an infected PC's desktop with its ransom message. Use standard anti-malware strategies and software, such as booting into Safe Mode and, then, scan your PC, to uninstall the Philadelphia Ransomware. Although the Rainmaker intends the Philadelphia Ransomware to be the next 'big thing' in his threat business, all initial signs point to its being shut down by a combination of good security practices and the active efforts of the security community.

Technical Details