An easy-to-use form of customisable ransomware is allowing entry-level cybercriminals to carry out targeted-ransomware campaigns.
First spotted in September last year, Philadelphia ransomware is not only simple to customise and deploy, those using it also receive regular updates and support from its authors.
Ransomware has boomed over the past year, costing its victims some $1bn during 2016 alone.
But while most forms of ransomware are associated with large-scale “spray and pray” campaigns, in which criminals send out thousands, even millions, of emails in the hope of infecting random consumer and business targets, researchers at Proofpoint have detailed a recent Philadelphia ransomware campaign that saw one threat actor use it to target specific healthcare institutions in a single city.
In this instance, attackers sent phishing emails appearing to be from an employee within the organisation, marked high importance and featuring subjects such as ‘Patient referral’. The lure supposedly contained information about a patient behind a shortened link, which, if clicked, downloaded the ransomware.
Those behind this attack have also customised the ransom note, not only referring to the hospital target by name, but also setting a high ransom demand of 15 Bitcoins – $18,000 – in the knowledge that networks are critical to hospital operations and that, as demonstrated by an incident last year, healthcare victims will give into these high demands in order to protect patients.
This Philadelphia attack has also been customised to add extra urgency, with a threat to delete 99 files every 45 minutes.
Researchers note this is the first instance of ransom note customisation spotted in the wild, but by tracking other campaigns, other instances of Philadelphia ransom note customisation were found being deployed in a number of different scenarios.
For example, one customised ransom note was found to be very much targeting individuals, seemingly designed to shame them about viewing adult content and demanding a ransom of 0.05 Bitcoins – or $49.
This might seem like a small fee, but it represents a figure an individual target would be likely to part with. The ransom note also threatens to delete three files every hour before deleting all files after three days. Researchers have not yet determined how this version of Philadelphia spreads.
Researchers also discovered Philadelphia targeting Russian language speakers, demanding a ransom of $200 and a no nonsense approach to speaking to victims. “Do not write to us if you do not like the price. We do not bargain,” reads part of the note after translation, which also includes a threat to up the ransom demand the longer the victim takes to pay.
While Philadelphia isn’t a particularly sophisticated form of ransomware – and doesn’t have anywhere near the market proliferation of the likes of the notorious Cerber or Locky, researchers note that it represents a development in “commodity ransomware”, allowing low-level cybercriminals to use highly customisable ransomware at a low cost.
Philadelphia is available to purchase for a $400 in the underground markets, Patrick Wheeler, Director of Threat Intelligence at Proofpoint, told ZDNet, adding how those behind it offer advice and updates on the ransomware as if it was any other piece of business software.
“The authors created a YouTube video explaining the features and how to get in touch to obtain the malware, which includes a perpetual license and free updates,” he said.
Meanwhile, for those who don’t even want to hand over money to other cybercriminals, there are cracked versions of the ransomware which can be downloaded for free.
The rise of this form of ransomware could become a big threat to organisations, warn Proofpoint, especially if criminals can successfully spoof emails to make them appear to be coming within the targeted organisation.
“As commodity ransomware becomes more sophisticated and customizable, new strains emerge rapidly, and ransomware-as-a-service becomes more commonplace, the possibilities for threat actors to use this type of malware in unexpected ways increase,” say researchers.
However, the good news is that some strains of Philadelphia have been cracked and free decryption tools are available.
Ransomware has become one of the biggest menaces on the web. This ZDNet guide contains everything you need to know about it: how it started, why it’s booming, how to protect against it, and what to do if your PC suffers an attack.