Topics
More on Risk Management

New ransomware spotted as targeting healthcare industry

Philadelphia ransomware is part of a highly targeted spear-phishing campaign that may signify more ransomware-as-service campaigns are on horizon.

Jessica Davis, Associate Editor

This ransomware file contains icons resembling patient information, which all point to the malicious script and if any of the icons are double-clicked, the JavaScript is triggered to download on the user’s network.

Researchers from security firm Forcepoint have discovered a new, off-the-shelf ransomware variant dubbed Philadelphia that is targeting the healthcare industry.

Amateur cybercriminals can purchase the virus researchers believe is sent through a spear-phishing email. It was already used to lure and infect a hospital in Oregon and southwest Washington.

Instead of a traditional attached file, users are directed to a link found in the email body. Once clicked, the site redirects and downloads a malicious Microsoft Word file. The document contains the logo of the targeted healthcare organization and a signature from a medical practitioner from that organization as bait.

[Also: Hackers will target hospitals at unprecedented level in 2017]

The file contains icons resembling patient information, which all point to malicious JavaScript, researchers said. If the user double-clicks any of the icons, the JavaScript is triggered and the ransomware is downloaded on the user's network.

Once executed, the virus sends the type of the operating system, username, country and system language of the victim to its command and control server bridge. Command and control replies with a generated victim ID, Bitcoin wallet ID and the ransomware demand in Bitcoin. Fortunately, Security Firm Softpedia has released a free decryptor.

The Philadelphia virus is an updated version of Stampado -- an unsophisticated strain researchers quickly decrypted. Researchers also found a video advertisement for the virus on YouTube.


[Also: Teaching hospitals make prime targets for data breaches]

An analysis of the variant found the term 'hospitalspam' in the directory path, indicating it's not an isolated case -- but part of an ongoing hospital spear-phishing campaign that began in March.

Spear-phishing attacks have grown increasingly tailored, according ICIT Senior Fellow James Scott. Hackers target employees with the highest privileges. The information is pulled from social media and other platforms to find specific information about the intended victim, which makes the spear-phishing campaigns highly effective.

[Also: Breaking down the financial toll of healthcare data breaches]

"Individually, this may not be a great deal of an attack towards the healthcare sector," the researchers said. "However, this may signify the start of a trend wherein smaller ransomware operators empowered by ransomware-as-service platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the healthcare sector."

This article first appeared in Healthcare IT News.

Twitter: @JessiefDavis