According to the researchers, thePhiladelphia ransomware is distributed via spear-phishing emails sent to the hospitals. The messages contain a shortened URL that points to a personal storage site that serves a weaponized DOCX file containing the targeted healthcare organization’s logo.
The file includes three document icons apparently related to patient information, and attempt to trick victims to click on them.
Philadelphia ransomware
If the victims click on the icon, a Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.
This tactic was already used to infect a hospital from Oregon and Southwest Washington.
“However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.” reads the analysis published by ForcePoint.
“In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization as bait.”
Once the ransomware infected the system it contacts the C&C server and sends various details on the target machine, including operating system, username, country, and system language. The C&C server responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.
The Philadelphia ransomware used AES-256 to encrypt the files, when the operation is completed it displays a request for 0.3 Bitcoins ransom to the victims.
The analysis of the malicious code revealed a couple of interesting things:
•the encrypted JavaScript contained a string “hospitalspam” in its directory path.
•the ransomware C&C also contained “hospital/spam” in its path.
The presence of the words suggests the attackers are specifically targeting hospitals using spear phishing emails.
“Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business” concluded Forcepoint. “Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,”
Bookmarks