In the past year, the Healthcare sector was one of the biggest industries that were hit by ransomware attacks. Being inclined to paying ransom to recover patient data, the Healthcare sector became a low hanging fruit for seasoned ransomware operators looking to maximize profit, such as those behind the Locky ransomware. However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.
In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization's logo and a signature of a medical practitioner from that organization as bait:
Upon execution, the dropped Philadelphia variant communicates to its command and control (C2) server bridge to check in the newly infected system. It sends system information including the operating system, username, country, and system language. The C2 then replies with a generated victim ID, a Bitcoin wallet ID and the Bitcoin ransom price:
The ransomware then proceeds to encrypt files using AES-256 encryption and displays the following window:
Based on the directory time stamp found on the ransomware C2, it appears that this campaign against hospitals started on the third week of March:
Forcepoint Security Statement
Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
Stage 5 (Dropper File) - Related malware components are prevented from being downloaded and/or executed.
Stage 6 (Call Home) - HTTP requests to the Philadelphia command and control bridge are blocked.
Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business. For instance, a teenager was identified as a suspect for operating Philadelphia just last month. At the same time, successful ransomware attacks in the Healthcare sector were heavily headlined in the past months which may have influenced the amateur threat actor in this case to target hospitals.
Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector. A public decrypter is available to those who have been infected by the Philadelphia ransomware.
Indicators of Compromise
DOCX file (SHA-256):