New ransomware spotted as targeting healthcare industry

Philadelphia ransomware is part of a highly targeted spear-phishing campaign that may signify more ransomware-as-service campaigns are on the horizon.
By Jessica Davis
02:09 PM
Share
Philadelphia ransomware targeted spear-phishing campaign

This ransomware file contains icons resembling patient information, which all point to the malicious script and if any of the icons are double-clicked, the JavaScript is triggered to download on the user’s network.

Researchers from security firm Forcepoint have discovered a new, off-the-shelf ransomware variant dubbed Philadelphia that is targeting the healthcare industry.

Amateur cybercriminals can purchase the virus researchers believe is sent through a spear-phishing email. It was already used to lure and infect a hospital in Oregon and southwest Washington.

[Also: The biggest healthcare breaches of 2017 (so far)]

Instead of a traditional attached file, users are directed to a link found in the email body. Once clicked, the site redirects and downloads a malicious Microsoft Word file. The document contains the logo of the targeted healthcare organization and a signature from a medical practitioner from that organization as bait.

The file contains icons resembling patient information, which all point to malicious JavaScript, researchers said. If the user double-clicks any of the icons, the JavaScript is triggered and the ransomware is downloaded on the user’s network.

[Also: Hackers will target hospitals like never before in 2017]

Once executed, the virus sends the type of the operating system, username, country and system language of the victim to its command and control server bridge. Command and control replies with a generated victim ID, Bitcoin wallet ID and the ransomware demand in Bitcoin. Fortunately, Security Firm Softpedia has released a free decryptor.

The Philadelphia virus is an updated version of Stampado -- an unsophisticated strain researchers quickly decrypted. Researchers also found a video advertisement for the virus on YouTube.

An analysis of the variant found the term ‘hospitalspam’ in the directory path, indicating it’s not an isolated case -- but part of an ongoing hospital spear-phishing campaign that began in March.

[Also: Cybersecurity experts to Congress: Incentives will lead healthcare industry to share threat data]

Spear-phishing attacks have grown increasingly tailored, according ICIT Senior Fellow James Scott. Hackers target employees with the highest privileges. The information is pulled from social media and other platforms to find specific information about the intended victim, which makes the spear-phishing campaigns highly effective.

“Individually, this may not be a great deal of an attack towards the healthcare sector,” the researchers said. “However, this may signify the start of a trend wherein smaller ransomware operators empowered by ransomware-as-service platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the healthcare sector.”

Twitter: @JessiefDavis