The City of Philadelphia has one of the highest crime rate in USA. The infamous city has now made it to the world of cybercrime. Quite literally.
Philadelphia is a variant of Stampado Ransomware. Stampado Ransomware was first seen in July this year and worked exactly like Philadelphia. However, Philadelphia has two timers wherein Stampado has only a Russian Roulette timer. Let us bring you a clear picture of Philadelphia!
Just like most other ransomware, Philadelphia is also encrypting user data and demanding ransom to return it back. But Philadelphia is a step ahead and makes money two way by offering its viciousness to potential hackers. It is selling its source code for $400 on Dark Web via its portal named as The Rainmaker. Anyone who aspires to make money the easy way can purchase the program. In addition to this, malware developers also help buyers set up a phishing campaign along with Bitcoin wallet configuration for smooth processing of ransom. On other hand, they are also running their full-fledged threat campaign on business organizations, individual users and several others.
How does Philadelphia Ransomware infect?
Distributed via phishing emails, Philadelphia usually conceals itself in a fake overdue payment message. This message contains a link directed to Philadelphia’s webpage, which acts as a gateway to its infection. The website has a Java application that is automatically downloaded once the user lands over to the portal. Upon successful infiltration, the malware encrypts several files and changes their file name & extension to ‘locked’, followed by numerous random characters. Once the malware has performed its scandalous activity, it notifies users about encryption along with the demanded ransom.
Note: Philadelphia encrypts files with following formats
.7z, .asp, .avi, .bmp, .cad, .cdr, .doc, .docm, .docx, .gif, .html, .jpeg, .jpg, .mdb, .mov, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .str, .tiff, .txt, .wallet, .wma, .wmv, .xls, .xlsx, .zip.
Philadelphia is programmed with asymmetric encryption algorithm where encryption is public, while decryption is private. Makers of Philadelphia ransomware ensure that they have control over user’s data, while leaving no alternative other than paying ransom. It usually demands .3 Bitcoin (currently equivalent to $187) to return back hijacked files.
The window also shows two timers: Deadline and Russian Roulette. While the former indicates the remaining time for obtaining the private key, the latter one denotes the time left in permanent deletion of files. These timers work in close succession and when time hits 0, it deletes the private key and any random encrypted files.
Image Source: pcrisk
Getting Rid of Philadelphia
You can remove Philadelphia ransomware with some manual steps on your system. Follow these steps if you’re infected with Philadelphia Ransomware.
Step 1:
For Windows XP & Windows 7 users: You should begin with restarting your computer in Safe Mode. This you can do by pressing F8 multiple times when anything appears on its screen and continue it until Windows Advanced Option Menu is prompted on the screen. Now select ‘Safe Mode with Networking’ option from the list.
For Windows 8 users: Go to Windows 8 Start Screen and type Advanced in the search bar. Now click on General PC Settings and then Advanced Startup options. Click on “Restart now” in order to restart your PC in Advanced Startup options. Now click on the “Advanced options” button followed by “Troubleshoot” button. The advanced option window will appear on the screen, from where you need to click on “Startup Settings”. Now click the “Restart” button and your PC will restart into the Startup Settings screen. As soon as you have implemented these steps, press F5 to boot your PC in Safe Mode with Networking.
Step 2:
Log on to your system with the account that was attacked by Philadelphia. Now download or purchase an authentic anti-malware software. Install and scan your system with it and remove all detected strains of the malware.
Step 3:
Once you have removed the Trojan from your system, you should use ‘Windows Previous Versions’ feature to restore your encrypted files.
- Start with selecting a file and right click it.
- Now select ‘Properties’.
- You will see ‘Previous Version’ option.
- Select the version and restore it.
You can also perform these steps to get away with any ransomware variant that has attacked your system. However, Windows Previous Version feature will only work for you if the Ransomware hasn’t encrypted or deleted shadow copies of your files.
Note: These steps are recommended by PC Risk!