On September 10th, the Emsisoft security expert, Fabian Wosar, announced that he had been able to create a free decrypter for the recently-found Philadelphia ransomware.
Luckily, as Philadelphia, whose developer is the same crook behind the Stampado ransomware, is quite new to the ransomware market, the number of attacked by it users is very small.
Before, Wosar was able to crack the Stampado threat as well and create a decryption tool to help users restore their data without paying the ransom. Since Stampado and Philadelphia are members of the same ransomware family, they are both coded in the AutoIT scripting language. This was an advantage for Wosar, who, based on previous experience, quickly managed to create the Philadelphia decrypter while the ransomware was only in its first steps.
The Philadelphia ransomware was first detected 5 days ago, on September 7th, when a user, going by the name of Arslan0708, posted a conversation between the ransomware`s author (The Rainmaker) and a hacker named SkrillGuide2015.
Arslan0708 explained that had managed to intercept a Jabber/XMPP conversation between the two by compromising a computer, owned by a user of the AlphaBay Dark Web marketplace. Arslan0708 didn’t reveal any more details because his actions were clearly illegal, but his hacking led to the discovery of the forthcoming Philadelphia threat.
In the conversation, The Rainmaker was explaining Philadelphia`s features, which he was selling for $400, while he sold the Stampado ransomware for much lower price – only $39. The crook was advertising his new product but he emphasized particularly on the ransomware`s new C&C communication system. Unlike other similar pieces of ransomware, Philadelphia uses bridges (intermediary servers, proxies) that reported back to a master server, called Philadelphia Headquarter. Usually, Remote Access Trojans (RATs), like Blackshades and Orcus, rely on this type of C&C server architecture.
However, the malware expert and founder of Bleeping Computer, Lawrence Abrams, discovered a problem in this communication technique.
“There is a fundamental problem, though, with this Bridge implementation. Unless these bridges are stored on anonymous networks like TOR, they will most likely be discovered and taken down fairly quickly.” – he wrote in a report.
The problem is, if this happens, the victim would no longer able to pay the ransom and recover their files.
Another very interesting fact about Philadelphia is that the ransomware features a so-called “Mercy Button” which would allow a compassionate crook to spare a particular user and decrypt their files for free.
The Philadelphia Ransomware is distributed via phishing emails disguised as payment notice from Brazil’s Ministry of Finance. The emails contain a link, containing a Java program which automatically downloads and run the Philadelphia installer.
During the encryption process, Philadelphia appends the “.locked” extension at the end of encrypted files and changes their names with random symbols like “7B205C09B88C57ED8AC913263CCFBE296C8EA9938A.locked”
The ransom demanded from victims is only 0.3 Bitcoin ($210) but if they delay the payment, Philadelphia starts deleting encrypted files from the infected PC.
Wosar`s decrypter is available here: https://decrypter.emsisoft.com/philadelphia. Whether victims are planning on downloading it or paying the ransom, in both cases they should act fast before losing important data due to delay.