Researchers from security firm Forcepoint have discovered a new, off-the-shelf ransomware variant dubbed Philadelphia that is targeting the healthcare industry.
Amateur cybercriminals can purchase the virus researchers believe is sent through a spear-phishing email. It was already used to lure and infect a hospital in Oregon and southwest Washington.
Instead of a traditional attached file, users are directed to a link found in the email body. Once clicked, the site redirects and downloads a malicious Microsoft Word file. The document contains the logo of the targeted healthcare organization and a signature from a medical practitioner from that organization as bait.
Once executed, the virus sends the type of the operating system, username, country and system language of the victim to its command and control server bridge. Command and control replies with a generated victim ID, Bitcoin wallet ID and the ransomware demand in Bitcoin. Fortunately, Security Firm Softpedia has released a free decryptor.
The Philadelphia virus is an updated version of Stampado — an unsophisticated strain researchers quickly decrypted. Researchers also found a video advertisement for the virus on YouTube.
An analysis of the variant found the term ‘hospitalspam’ in the directory path, indicating it’s not an isolated case — but part of an ongoing hospital spear-phishing campaign that began in March.
Spear-phishing attacks have grown increasingly tailored, according ICIT Senior Fellow James Scott. Hackers target employees with the highest privileges. The information is pulled from social media and other platforms to find specific information about the intended victim, which makes the spear-phishing campaigns highly effective.
“Individually, this may not be a great deal of an attack towards the healthcare sector,” the researchers said. “However, this may signify the start of a trend wherein smaller ransomware operators empowered by ransomware-as-service platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the healthcare sector.”