A malware creator, going by the name of The Rainmaker, has recently started selling a newer Stampado Ransomware version, called Philadelphia, for $400 USD. According to him, Philadelphia is being incredibly undersold giving any wannabe crook the opportunity to easily purchase a fully working piece of ransomware with little expense.
However, Philadelphia is not as advanced as it is thought to be. Since it is programmed in the AutoIT scripting language, it can be easily decompiled and checked for bugs. Moreover, the Emsisoft security researcher, Fabian Wosar, is certain the ransomware can be decrypted as he was the one to crack the two first versions of Stampado.
Lawrence Abrams of BleepingComputer says:
“I was first notified of this new version by a poster in the forums who claimed he was able to intercept communications between a person going by the handle of SkrillGuide2015 and the Philadelphia developer The Rainmaker. This conversation was taking place on the AlphaBay Tor criminal site, and shows Rainmaker explaining how he has started selling his new Philadelphia ransomware project for $400 USD and that he plans on starting to distribute it today. Rainmaker’s goal was to infect 20 thousand victims on his first day of distribution.”
The Rainmaker considers Philadelphia as an innovation on the ransomware market due to some of its capabilities. The ransomware is able to autodetect when a payment has been completed and then automatically decrypt the locked files, it can infect USB drives as well as other PCs over the network. However, one of its most interesting features is the so-called Mercy Button which allows the crooks to decrypt a particular victim`s files for free out of sympathy.
The advertised features of the Philadelphia ransomware are:
“Everything is customizable:
- You can set the folders where the Ransomware will look for files as well as the depth/recursion level
- You can set the extensions, you can enable, disable and define intervals for the deadline and the Russian roulette (as well as editing how many files are deleted on every Russian roulette interval and whether the files or the crypt key gets deleted once the deadline endsYou can edit file icon and Mutex
- You can edit the UAC (user access control) in four available options: (1) do not ask for admin privileges; (2) ask and insist until it is given; (3) ask but run anyway even if it is not given; (4) ask and give up if it is not given
- You can edit all the interface texts as well as add multiple languages to the same file (it will detect the machine language and display the texts you edited for that locale or a default/fallback one)
- You can enable or disable USB infect, network spread and Unkillable Process, as well as set the process name
The Philadelphia Headquarter is a software that works on your machine and allows you to generate unlimited builds, see the victims on a map and on a list (with country flags and all the data you need) and also a “Give Mercy” button if you’re too good.
But the coolest Philadelphia feature (and what makes its maintenance so cheap) is that, instead of huge servers on our controls where you must pay high amounts monthly, we present you the “Bridges”. Bridges are the way victims and attacker enter in touch in a distributed network.”
The attacker has to install the Bridges (PHP scripts) on websites in order to se tup a Philadelphia campaign. These Bridges are connected and store info about each victim and the encryption key. Then, the crook has to run a management client called the Philadelphia Headquarters on their PC, which will connect with each Bridge and download the victim data to their management console. This way the attacker see who is infected, what countries have the most infection and even “Give Mercy” to some of them and decrypt their files for free.
However, the Bridges would be easily discovered and taken down unless they are stored on anonymous networks like TOR, which makes the process a lot more difficult. The problem is, if this happens, the victim would no longer able to pay the ransom and recover their files.
The Philadelphia Ransomware is distributed via phishing email disguised as payment notice from Brazil’s Ministry of Finance. The emails contain a link, containing a Java program which automatically downloads and run the Philadelphia installer.
When the ransomware encrypts a file it will append the “.locked” extension and the end of it and completely change its name. For instance, a file named “test.jpg”, when encrypted, may become “7B205C08C57ED8AB7C913263CCFBE9938A.locked”. When the encryption process is completed, a locked screen is displayed with instructions on how to make the payment (0,3 Bitcoin).