This ransomware lets crooks spot their victim on a map

Ransomware has always been sinister - now it's creepy too.
Written by Danny Palmer, Senior Writer

This is a Philadelphia ransomware ransom note targeting a hospital -- but users will see something similar on their own computers if they're not careful.

Image: Proofpoint

As if ransomware wasn't sinister enough, a simple to use and easy to buy form of the file-encrypting malware now provides its users with the ability to track victims on Google Maps.

First appearing on the cybercriminal market in September last year, the Philadelphia ransomware is available for $400 and the developers offers a 'ransomware-as-a-service' package which provides support and updates for the malicious software.

The RaaS kit is even promoted to potential customers with adverts complete with slick marketing videos and promotional screenshots boasting of a 'Full Lifetime License' from its creators, complete with regular support.

That support includes software for managing attacks, including the ability to list all of the infected machines -- not just by displaying the country the victim is in, but their location and IP address as well.

The feature is designed to help give the ransomware's users an insight to where they've made successful attacks -- including the set ransom amount for that target and their operating system.


The tracking feature of Philadelphia ransomware shows the location of victims.

Image: Sophos

"It's the operational part of running your 'hacking business' in order to manage the machines under control -- a critical element of a non-technical person's ability to leverage this tool and monetise it," Dan Schiappa, senior vice president of the Sophos Enduser and Network Security Group, told ZDNet.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

While its a certainly a creepy new addition to the scammers' arsenal, there's perhaps some level of reassurance in the fact that the vast majority of Philadelphia users aren't anywhere near this level of sophistication. The ransomware comes with a 'mercy' feature which is designed to gives cybercriminal an option if they grow a conscience and feel sympathy for the victim.

"There's rare cases of the bleeding heart hacker who finds out they've encrypted photos of someone's a dead relative and they give mercy," said Schiappa.

But more often it is used by technically-incompetent crooks to decrypt their own systems when they infect them by accident.

"One of the primary reasons we've seen is that people -- particularly non-sophisticated customers -- will infect themselves," said Schiappa. "They infect themselves, infect their friends, or they're using machines they want to clean and infect again just as they're testing things, that's what that's about."

Like the developers' other product, Stampado -- a much cheaper, but far less flexible ransomware -- Philadelphia is sold on the dark web, but access to ransomware is advertised on the open web with introduction videos and a how-to guide.

"It's idiot-proof. It's taken something that could be very sophisticated and technical and put it in the hands of those with malicious intent. That massively increases the scope of the use of the attacks," said Schiappa.

Fortunately, there is some good news in that some strains of Philadelphia have been cracked and free decryption tools are available.


Editorial standards