A security researcher from Emsisoft, Fabian Wosar, recently revealed that he had discovered a new decrypter that could unlock files closed by the Philadelphia ransomware. This malware is relatively new and was developed by the same person who created the Stampado ransomware.
Like many other ransomware software currently in circulation on the dark web, Philadelphia targets encrypted files and removable drives based on a list of sanctioned files extensions, before finally uploading its ransom message.
Wosar had earlier released another free decryption tool for Stampado, but since the two programs are related with both being coded in AutoIT scripting language, he was able to unravel Philadelphia’s method of operation and create a fully functional decrypter before it could cause any damage.
Hacked Alpha Bay Market account – discovery of Philadelphia
A hacked Alpha Bay Market account had earlier led to the discovery of Philadelphia; news about its existence first came to light on September 7th, when an online user called Arslan0708 posted a chat message between a possible hacker, SkrillGuide2015, and Philadelphia’s developer known as The Rainmaker.
Arslan0708 says that he cracked a machine owned by an Alpha Bay Market user, and was able to remotely access a Jabber/XMPP chat between the two parties.
Since this activity was illegal, the individual refused to reveal any further details, but his hacking of the Alpha Bay Market account unraveled the upcoming ransomware threat which later turned out to be Philadelphia.
During the conversation on the Alpha Bay Market, The Rainmaker was discussing a new ransomware file he had just finished creating and was now selling it for $400.
Previously, he had sold the first ransomware, Stampado, at a much lower rate of $39.
The ransomware makes use of a new C&C communications system; it works through bridges or proxies that report back to the main server.
Nevertheless, founder of Bleeping Computer and malware analyst, Lawrence Abrams, identified certain problems with Philadelphia’s implementation of the Bridges system.
He says that unless the bridges are stored on anonymous networks such as Tor, they are likely to be discovered and brought down pretty quick.
However, since these bridges are hardwired inside the Philadelphia system code and cannot be retrieved automatically, if these servers are disabled then it leaves victims in a bad situation of inability to pay the ransom and decrypt their files.
Another feature that’s worth highlighting about this ransomware is the existence of a “Mercy” button; hackers can use it to decrypt the victim’s files without first requiring a ransom.
Recently, security researchers discovered an email spam that was delivering an overdue payment message from Brazil’s Finance Ministry; it was infected with Philadelphia.
You can identify a Philadelphia ransomware by the long random names found on their encrypted files and .locked extensions.
The ransomware requests for only 0.3 BTC from the victims, which is around $210.
Beware that Philadelphia can delete a certain number of files from infected computers, particularly if the victim delays on paying the ransom.
Once a machine has been infected, the victim should decide quickly whether they want to pay the ransom or download Fabian Wosar’s decrypter.
If they take too much time before decrypting, a huge portion of their files will go missing.
Philadelphia operates differently from other ransomware; however, its operations rely mostly on bridges which have the capacity to infiltrated shared networks.
It’s a PHP script that makes use of its own database, no MySQL. They can store the user’s keys, verify payments and even show the victim’s data on the headquarters server safely.
They can also be hosted on all types of servers, including those that have been hacked, shared hosting networks, dedicated and VPS servers amongst others.
To infect an unsuspecting victim, the hacker who buys a Philadelphia license for $400 must first install PHP scripts for the bridges found on their attack sites.
Additionally, they need to put up Philadelphia Headquarters program onto their machine. This control panel allows them to access every bridge on their network, which ultimately gathers random information about the victims and also records encryption key.
Nevertheless, the ransomware claims that it innovates over other crypto-malware samples already in existence, by auto-detecting when victims are making bitcoin payments.