Healthcare Organizations Targeted with New Ransomware Campaign

Share this article on:

Two hospitals have been attacked and had their files encrypted by Philadelphia ransomware. The latest campaign appears to be targeting hospitals in the United States.

Philadelphia ransomware is a form of Stampedo ransomware that was first identified last fall. The new ransomware variant is not particularly sophisticated and a free decryptor does exist (Available from Emisoft); however, a successful attack is likely to prove costly to resolve and has potential to cause considerable disruption. An attack may even warrant HIPAA breach notifications to be sent to patients if ePHI is encrypted.

The ransomware variant has been made available under an affiliate model and amateur attacks are being conducted. Brian Krebs recently found an online video promoting the ransomware variant highlighting its features and its potential for customization. The video claims that Philadelphia ransomware is the most advanced and customizable ransomware variant available.

Any would-be attacker can rent the ransomware by paying a one-off fee of $400 to the authors. After the fee is paid, the ransomware can be customized and used for personal campaigns.

At least one individual is conducting attacks on healthcare organizations, according to Forcepoint. Its researchers detected a campaign that uses a malicious DOCX file to download the ransomware. In this case, the Word document was not attached to a spam email, instead a malicious link was sent in a spear phishing email. Clicking the link triggers a download of a malicious DOCX file.

If the user opens that file they will be presented with three icons. Clicking any of those icons will launch malicious JavaScript that will download Philadelphia ransomware onto the device. The ransom currently demanded per infected device is 0.3 Bitcoin – approximately $364.

The attacker has used a variety of techniques to improve the chances of the icons being clicked. Spear phishing emails are sent to individuals within a targeted healthcare organization. The Word document contains the health organization’s logo along with the name of a physician at the hospital. The icons in the Word document appear to link to patient information contained in the file.

Forcepoint analyzed the JavaScript and detected a string called hospitalspam. A directory on the C2 also contained a folder with the same name, suggesting the attacker is targeting U.S. hospitals. Two hospitals in the U.S. have already fallen victim to a Philadelphia ransomware attack. Forcepoint reports that one hospital in Oregon and another in Southwestern Washington have been infected. The campaign appears to have started in the third week of March.

The discovery shows malicious actors are actively targeting the healthcare sector and further attacks are likely.

Recovery from a Philadelphia ransomware attack is a fairly straightforward process; however, the rise in popularity of ransomware-as-a-service could see healthcare organizations targeted more heavily over the coming months. Other ransomware variants may not prove so easy to remove.

Hospitals and other healthcare organizations should ensure they have implemented defenses against ransomware attacks, developed a disaster response plan specifically for ransomware attacks and have effective backup policies in place.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On