Philadelphia is a ransomware that runs on Microsoft Windows. It is aimed at English-speaking users. According to Rainmaker, Philadelphia is being sold as a low cost ransomware solution that allows any wannabe criminal to get an advanced ransomware campaign up and running with little expense or complexity.
For an attacker to setup a Philadelphia campaign, they need to install a PHP scripts called Bridges on web sites. These Bridges will be connected to by the ransomware infection and will store the encryption key and information about the victim. They are also used by the ransomware to check if a ransom payment has been made.
The attacker then runs a management client called the Philadelphia Headquarters on their machine, which will connect to each configured bridge and download the victim data to their management console. This client allows the attacker to see who is infected, what countries have the most infections, and even offers a mercy button if a compassionate attacker wants to allow someone to decrypt their files for free.
Philadelphia is distributed through malicious campaigns using email spam and malicious attachments. It was being sold for $400 USD by a malware developer named The Rainmaker.
When the ransomware is started, it will load an embedded configuration file that contains directives as to how the ransomware should encrypt a computer. The ransomware currently being distributed will target fixed, removable, and network drives, and drive root folders. When encrypting files it will use a custom encryption algorithm and target the following files:
.7z, .asp, .avi, .bmp, .cad, .cdr, .doc, .docm, .docx, .gif, .html, .jpeg, .jpg, .mdb, .mov, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .str, .tiff, .txt, .wallet, .wma, .wmv, .xls, .xlsx, .zip
When a file is encrypted, its name will be scrambled and have the .locked extension appended to it. For example, test.jpg may become 7B205C09B88C57ED8AB7C913263CCFBE296C8EA9938A.locked. When it is finished, it will display a lock screen.
If Russian Roulette is enabled, a counter will begin and when it runs down to zero, a certain preconfigured amount of files will be deleted.
There is also a note in the AutoIt script that saids, "fuck you fabian"