menu

Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity LabsOff-the-shelf Ransomware Used to Target the Healthcare Sector
HomeSecurity LabsOff-the-shelf Ransomware Used to Target the Healthcare Sector

Off-the-shelf Ransomware Used to Target the Healthcare Sector

In the past year, the Healthcare sector was one of the biggest industries that were hit by ransomware attacks. Being inclined to paying ransom to recover patient data, the Healthcare sector became a low hanging fruit for seasoned ransomware operators looking to maximize profit, such as those behind the Locky ransomware. However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.

In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization's logo and a signature of a medical practitioner from that organization as bait:

As can be seen above, three document icons pertaining to patient information are present in the file. These icons all point to a malicious JavaScript with the following code snippet:

Once the user double-clicks any of the icons, the Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware. Believed to be a new version of the Stampado ransomware, Philadelphia is an unsophisticated ransomware kit sold for a few hundred dollars to anyone who can afford it. Recently, a video advertisement of Philadelphia surfaced on Youtube.

Upon execution, the dropped Philadelphia variant communicates to its command and control (C2) server bridge to check in the newly infected system. It sends system information including the operating system, username, country, and system language. The C2 then replies with a generated victim ID, a Bitcoin wallet ID and the Bitcoin ransom price:

The ransomware then proceeds to encrypt files using AES-256 encryption and displays the following window:

A few things in the malware captured our interest. Aside from the tailored bait against a specific healthcare organization, the encrypted JavaScript above contained a string “hospitalspam” in its directory path. Likewise, the ransomware C2 also contained “hospital/spam” in its path. Such wordings would imply that this is not an isolated case; but that the actor behind the campaign is specifically targeting hospitals using spam (spear phishing emails) as a distribution method.

Based on the directory time stamp found on the ransomware C2, it appears that this campaign against hospitals started on the third week of March:


Forcepoint Security Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 5 (Dropper File) - Related malware components are prevented from being downloaded and/or executed.

Stage 6 (Call Home) - HTTP requests to the Philadelphia command and control bridge are blocked.

Conclusion

Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business. For instance, a teenager was identified as a suspect for operating Philadelphia just last month. At the same time, successful ransomware attacks in the Healthcare sector were heavily headlined in the past months which may have influenced the amateur threat actor in this case to target hospitals.

Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector. A public decrypter is available to those who have been infected by the Philadelphia ransomware.

Indicators of Compromise

Download links:

https://kaspersky.dattodrive[.]com/index.php/s/lhodbNAIcoNF6yb/download
http://87i03clk4zcw06uy1cv5[.]nl/mass/hospital/spam/payload/WINWORD.exe 

Ransomware C2:

http://87i03clk4zcw06uy1cv5[.]nl/mass/hospital/spam/index.php

DOCX file (SHA-256):

0e53d65ecd1d6ae5f77500c535b8916f43a1da04b59efde63c1ca593d8363483

Philadelphia (SHA-256):

2f5b4ad81d358d57b8076a9b432be0e41ddff729c596b5b8ce5a01039dfaac3c