14 DAY TRIAL // Emsisoft security researcher Fabian Wosar has informed Softpedia today about a new decrypter he put together and that can unlock files encrypted by a new ransomware family called Philadelphia.
The number of Philadelphia infections is relatively low because the ransomware was only recently released by its creator, the same crook who developed the Stampado ransomware.
Fabian Wosar previously released a free decrypter for the Stampado ransomware as well, about which you can read more here. Since the two ransomware families are related, both being coded in the AutoIT scripting language, Fabian Wosar was able to crack Philadelphia's mode of operation and produce a fully working decrypter before the ransomware could do any damage.
Hacked AlphaBay account leads to Philadelphia's early discovery
News about the existence of the Philadelphia ransomware came to light this past Wednesday, September 7, when a user using the nickname Arslan0708 posted a conversation between a hacker (SkrillGuide2015) and Philadelphia's creator (The Rainmaker).
Arslan0708 claims he compromised a machine belonging to a user of the AlphaBay Dark Web marketplace, and he was able to intercept a Jabber/XMPP conversation between the two. Since this was illegal, he declined to post any other details, but his hacking uncovered an upcoming ransomware threat, for which we thank him.
In this conversation, which you can read in full here, The Rainmaker was describing the new ransomware version he had just finished writing, called Philadelphia, which he was selling for $400. Previously, he sold the Stampado ransomware at a much lower price, for only $39.
Philadelphia uses unique but unsecured C&C server network
The Rainmaker was lauding Philadelphia's new features but was very proud of the ransomware's new C&C communications system, which uses bridges (intermediary servers, proxies) that reported back to a master server, called Philadelphia Headquarter. This very same type of C&C server architecture is common to remote access trojans (RATs), such as Orcus and Blackshades.
Lawrence Abrams, malware analyst and founder of Bleeping Computer, identified a few problems with this architecture, which he broke down in his report.
"There is a fundamental problem, though, with this Bridge implementation. Unless these bridges are stored on anonymous networks like TOR, they will most likely be discovered and taken down fairly quickly," he writes.
Because these bridge addresses are hardcoded inside the Philadelphia source code and not retrieved automatically, if the servers are taken down, this leaves victims in the unfortunate position of not being able to pay the ransom and decrypt their files.
Ransomware control panel includes a "Mercy" button
One other Philadelphia feature that's worth mentioning is the presence of a "Mercy" button for Philadelphia buyers, in case they wanted to decrypt a victim's files without having them pay the ransom note.
Currently, security researchers identified email spam delivering an overdue payment notice from Brazil's Ministry of Finance, infected with Philadelphia.
You can spot a Philadelphia ransomware infection by the very long random names given to encrypted files and the .locked file extension (e.g. 7B205C09B88C57ED8AB7C913263CCFBE296C8EA9938A.locked).
Philadelphia deletes files at random intervals
The ransomware asks only for 0.3 Bitcoin for ransom, which is about $210. Be aware that Philadelphia will delete a predetermined number of files from an infected computer if the victim delays paying the ransom.
Victims should decide very quickly if they want to pay the ransom or download Wosar's decrypter. If they delay the decryption process, they'll find that a big chunk of their files has gone missing.
Below is a PDF file that The Rainmaker was using to advertise Philadelphia on AlphaBay.
