Background and Timeline

Now that attackers realize the financial benefits of ransomware – and enterprises are, unfortunately, often willing to pay instead of waiting for an investigation – the advent of easy-to-distribute ransomware is on an astronomical upward trajectory.

As Cylance detailed in February, 2017, the Satan ransomware-as-a-service (RaaS) variety showed how easy it is for anyone to distribute ransomware and hold individuals and enterprises hostage.

Today, our Threat Guidance team examines Philadelphia ransomware in our Threat Spotlight blog series. Offered by the same inventor as Stampado, Philadelphia is available online for only $300. For this low price, owners get a payload builder and server component to communicate with (unlock) the endpoints. The bar just keeps getting lower for these RaaS online offerings – creating criminal “hackers” out of anyone with enough cash and greed to hold an organization hostage for their own financial gain.

How Is It Delivered? What Does It Do?

Much like other ransomware, Philadelphia ransomware can be embedded in weaponized Office documents and delivered via phishing emails – or more recently, sent as a link to a server included in an email message (to evade email scanning tools).

In a curious twist, both researchers and victims have recently observed a trend of the attackers themselves personally planting the malicious payload on servers and detonating it, utilizing delivery methods such as rogue USB drives, which can either be inserted by an attacker, or by planting a USB drive on the grounds of the target institution. In 70% of cases, employees who found the ‘lost’ USB drive would unthinkingly plug it directly into their laptop to view the contents. This method of attack is especially high for servers and endpoints inside demilitarized zones (DMZ) at healthcare providers, financial institutions, and media companies. Even if employees are trained not to touch planted USB devices, the insider threat is very real and is one of the hardest types of attackers to defend an organization against.

Since the malicious payload can be fully customized – from message to icon – it can also slide by many ‘next-generation’ antivirus (AV) tools. For products that look primarily at hash values, including endpoint detection and response (EDR) and forensics – these RaaS files with their never-seen-before executables wreak havoc before even firing a suspicious activity alert. All too many legacy AV products let these types of malware in and only tell you something bad has happened when the malware has already executed, locked up your data, or otherwise made you a victim to a malicious attacker.

And those solutions which require execution before termination – which is the vast majority of traditional security market, including sandboxes and anti-malware products – take action too late. You may get a security alert, but only after the ransomware has already locked down your machine.

We’ve seen endless promotion of post-ransomware remediation and rollback, and the adverts make it look great, but in real life, communicating to endpoints through the Volume Shadow Copy Service (VSS) is a pipe dream – infected machines will only be able to talk to the ransom host, as defined by the easy-to-configure tool (which Philadelphia includes), making those solutions completely ineffective against these types of ransom-based attacks.

Does Cylance Protect Against Philadelphia Ransomware?

Since Cylance is highly focused on predictive, prevention technology, our endpoint protection product CylancePROTECT® stops these attacks at their core – before they execute.

It doesn’t matter what the hash value is, when it was created, or how it’s delivered. Cylance immediately detects the malicious activity, terminating its execution before it has a chance to encrypt files or communicate back to control servers. This negates all of the damage which could occur, and negates the need to pay for expensive remediation services to fix the damage and clean up the mess.

Think about that – no more requirement for email scanning, web filtering, network connection protection, or targeted malware prevention. Cylance has you covered – and doesn’t require assistance from a multitude of modules to overcome gaps in its core protection.

Convinced that the next generation of endpoint security is right for your organization? Contact a Cylance expert to get started.