{
	"id": "3bde33d0-62ef-425b-9f17-62ef46fd61c5",
	"created_at": "2026-04-06T00:18:31.56921Z",
	"updated_at": "2026-04-10T03:21:45.615837Z",
	"deleted_at": null,
	"sha1_hash": "9468ed3c9493310eaa402451e41776435fc2a808",
	"title": "Philadelphia Ransomware Brings Customization to Commodity Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1479689,
	"plain_text": "Philadelphia Ransomware Brings Customization to Commodity\r\nMalware | Proofpoint US\r\nBy April 25, 2017 Proofpoint Staff\r\nPublished: 2017-04-25 · Archived: 2026-04-05 13:39:00 UTC\r\nOverview\r\nPhiladelphia ransomware is a relatively new ransomware variant, first observed in September of last year.\r\nDesigned as an easy-to-use piece of malicious software with low barriers to entry for new ransomware actors,\r\nPhiladelphia is simple to customize and deploy. Although we most often associate ransomware, including\r\nPhiladelphia, with large-scale, \"spray and pray\" campaigns that send high message volumes to a wide spectrum of\r\nconsumers and organizations, we are beginning to see significant differentiation among attacks, ransoms, scale,\r\nand even targeting.\r\nIn this blog, we focus on a recent Philadelphia ransomware campaign used in a series of targeted email attacks\r\nagainst a small number of organizations using lures and attachments highly customized for the targeted\r\norganizations. In addition to explicit targeting, recent attacks using Philadelphia highlight the ability to customize\r\nwhat is essentially commercial off-the-shelf (COTS) malware, personalizing aspects of attacks such as the ransom\r\nnote and ransom amounts.\r\nAnalysis\r\nSince late last month, we have seen actors using Philadelphia to target specific healthcare institutions, among\r\nother organizations in the same city. In this case, email messages purporting to be from an employee at a targeted\r\ncompany with subjects such as \"Patient Referral\" contained bit.do (URL shortener) links leading to the download\r\nof Philadelphia.\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 1 of 11\n\nFigure 1: Email sample with patient referral lure\r\nAlthough redacted in Figure 1, the use of so-called \"display name spoofing\" to make the emails appear to be from\r\ninternal senders is a technique commonly associated with targeted attacks and has been on the rise among business\r\nemail compromise (BEC) actors.\r\nAdditionally, the actor took an extra step to customize the ransom note by:\r\n(1) Calling out the potential victim organization by name\r\n(2) Setting the ransom to a high amount of 15 Bitcoins (approximately $18,000 USD) and\r\n(3) Threatening to delete 99 files every 45 minutes\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 2 of 11\n\nFigure 2: Customized ransom note\r\nRansom Note Customizations\r\nWe determined that the demanded ransom amount is configurable and is returned in the command and control\r\n(C\u0026C) server response to the initial check-in beacon by the victim machine. The Bitcoin address and victim ID\r\nare returned in the same response. However, this is the first instance of ransom note customization we have\r\nobserved with Philadelphia ransomware. This customization occurs through a setting that is built into the malware\r\nitself. Examining our malware corpus, we found several other instances of ransom note customization for\r\nPhiladelphia ransomware, tailored to a variety of different situations.\r\nIn one case, the ransom note was colored pink and included a small payoff amount of 0.05 Bitcoins. The note\r\nthreatened the victim, claiming “YOU HAVE BEEN EXPOSED!” and that three files will be deleted every hour,\r\nostensibly as a consequence for browsing pornography. At this time, we have not determined how this particular\r\ninstance of Philadelphia ransomware was spread to potential victims.\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 3 of 11\n\nFigure 3: Pink ransom note displayed by a sample with SHA256 hash of\r\na1e1b22f907b4b5d801e7c1dd3855d77bf28831eaadc2fbf9ed16ee0cdcc8ccf\r\nIn another case, we found a sample with a Russian-language ransom note. The English translation (see full text in\r\nAppendix A) told victims “Do not write to us if you do not like the price. We do not bargain.”\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 4 of 11\n\nFigure 4: Red ransom note displayed by a sample with SHA256 hash of\r\n55793f2cd2a061646e73f0520f5f43a82da1c890624c0317777d5917efe68761\r\nDelivery\r\nAs in the healthcare-targeted campaign, we have seen Philadelphia ransomware spreading via URLs linking to\r\nzipped executables in email. A related healthcare campaign from the same actor also targeted hospitals with URLs,\r\nbut in that case led to macro-laden Microsoft Word documents.\r\nWe also found a sample of a Microsoft Word document named CV.doc (Figure 5) that used macros and Powershell\r\nto download Philadelphia from a payload site.\r\nFigure 5: Document attachment sample with SHA256  hash of\r\n6c852f2dcd2189f2c24c7b779dce62b114b293b983b5daa0858f7648af4a5424, which downloads the final payload\r\nIt appears that Philadelphia is also spread via keygen and cracking sites as we found samples of the ransomware\r\nbundled with various keygen programs and Bitcoin-related software.\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 5 of 11\n\nFigure 6: The ransomware sample with SHA256 of\r\ne5d52926187e2b4b3086b14fe718d1896516a6d99e20efeb77e44b25e2f3de3e) is bundled with this keygen program\r\nFigure 7: The ransomware sample with SHA256 hash of\r\na4450709af37731f17d29ddf4d83f9daafbae7dc67393e7f13fb2dcaf9a321e6 is bundled with this program\r\nFinally, we have also observed Philadelphia being distributed via Sundown and RIG exploit kits.\r\nConfiguration File\r\nAs noted above, a server-side script controls several parameters, including the ransom amount. In Figure 8, this\r\nparameter is set to 0.2 Bitcoins. The “confirmations” parameter, shown with the value “3”, appears to be the\r\nnumber of times the victim has to confirm that he or she paid the ransom.\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 6 of 11\n\nFigure 8: Example Philadelphia configuration as stored on the C\u0026C server for the sample with SHA256 hash of\r\nb6be75155ca197c4931ed166dcc7725ad44adcfc8b9b6947f7cb69d2bf63ff64\r\nFigure 9: The server response to the initial victim check-in returns the victim ID, followed by a Bitcoin address\r\n(highlighted) and then by the ransom amount. In this case, the amount is 0.2 as specified in the configuration file.\r\nConclusion\r\nWhile geographically targeted ransomware has been a part of the threat landscape for some time, targeting of\r\nransomware at specific companies or verticals has been rare. As these recent Philadelphia ransomware examples\r\nshow, even ‘entry-level’ ransomware is adopting the techniques of targeted email-based attacks, including:\r\nEmail lures and attachment filenames customized for the targeted organization\r\nSpoofing to make it appear that the message was sent internally\r\nCustomized payment amounts, deletion schedules, ransom messages, languages, and even colors per\r\norganization.\r\nThese targeted campaigns are carried out even as we continue to observe broad-based distribution of Philadelphia\r\nransomware through both email and web-based attacks.\r\nRansomware can be quite lucrative for threat actors in broad-based campaigns where actors generally rely on high\r\nvolumes and relatively low ransoms to monetize ransomware. However, healthcare organizations are becoming a\r\nfavorite for more targeted, higher-ransom attacks as well. Philadelphia ransomware in particular is not considered\r\nespecially sophisticated in its coding or encryption but is notable for being an early example of \"commodity\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 7 of 11\n\nransomware\", sold cheaply for widespread use among various threat actors. We have also observed cracked\r\nversions of Philadelphia in the wild that do not require any upfront costs for would-be ransomware actors.\r\nChanges in the ransomware landscape are not limited to Philadelphia. For example, we have recently observed\r\nnarrow-spread Sage ransomware campaigns being delivered to small numbers of organizations in a few verticals.\r\nOn the other hand, Locky returned to large-scale distribution recently but in sporadic campaigns using new\r\ndistribution vectors and demanding a higher ransom. In our recent first quarter Threat Report, we highlighted the\r\ncontinued rapid growth of ransomware variants in the wild. While many of these new variants fail to gain traction,\r\nothers come with new approaches and features.\r\nFigure 10: Indexed growth of ransomware variants reported or observed since December 2015\r\nAs commodity ransomware becomes more sophisticated and customizable, new strains emerge rapidly, and\r\nransomware-as-a-service becomes more commonplace, the possibilities for threat actors to use this type of\r\nmalware in unexpected ways increase. Organizations need to adopt robust strategies to stop ransomware messages\r\nat the door as effective attacks can have major financial impacts, both directly in terms of large ransoms and\r\nindirectly in terms of time, productivity, and effectiveness.\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\na1e1b22f907b4b5d801e7c1dd3855d77bf28831eaadc2fbf9ed16ee0cdcc8ccf SHA256\r\nPhiladelphia\r\nransomware\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 8 of 11\n\n6c3d69053a19e336289efbe0ee65eba1ef21076019a4b71b39bca8bd105e86cd SHA256\r\nPhiladelphia\r\nransomware\r\n55793f2cd2a061646e73f0520f5f43a82da1c890624c0317777d5917efe68761 SHA256\r\nPhiladelphia\r\nransomware\r\nb6be75155ca197c4931ed166dcc7725ad44adcfc8b9b6947f7cb69d2bf63ff64 SHA256\r\nPhiladelphia\r\nransomware\r\n6c852f2dcd2189f2c24c7b779dce62b114b293b983b5daa0858f7648af4a5424 SHA256\r\nMS Word\r\ndocument\r\nspreading\r\nPhiladelphia\r\ne5d52926187e2b4b3086b14fe718d1896516a6d99e20efeb77e44b25e2f3de3e SHA256\r\nPhiladelphia\r\nbundled with\r\nkeygen program\r\na4450709af37731f17d29ddf4d83f9daafbae7dc67393e7f13fb2dcaf9a321e6 SHA256\r\nPhiladelphia\r\nbundled with\r\nkeygen program\r\nfoolonthehill[.]website Domain\r\nPhiladelphia\r\nC\u0026C\r\nwhole-sale-deals[.]com Domain\r\nPhiladelphia\r\nC\u0026C\r\n191.101.242[.]123:53161 IP\r\nPhiladelphia\r\nC\u0026C\r\n95.211.147[.]156:80 IP\r\nPhiladelphia\r\nC\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 9 of 11\n\nET and ETPRO Suricata/Snort Coverage\r\n2822596 |  ETPRO TROJAN Win32/Philadelphia Ransomware Encryption Activity\r\n2822136 |  ETPRO TROJAN Win32/Philadelphia Ransomware CnC Checkin\r\nAppendix A\r\nFull ransom note for sample with SHA256\r\n55793f2cd2a061646e73f0520f5f43a82da1c890624c0317777d5917efe68761\r\nOriginal ransom note text:\r\nВаши файлы были зашифрованы.\r\nВы можете самостоятельно восстановить их.\r\nДля этого нужно  отправить $200 в  биткоинах на счет указанный в поле «Номер кошелька».\r\nДля создания собственного кошелька используйте проверенный ресурс:\r\nhttps://blockchain.info/\r\nДля обмена рублей в биткоины рекомендуем следующие ресурсы:\r\nhttps://www.savechange[.]ru\r\nhttps://x-obmen[.]ru\r\nhttps://x-pay[.]cc\r\nhttps://kassa[.]cc\r\nПосле оплаты необходимо ввести код транзакции в поле «Код транзакции».\r\nЗатем отправить его нам, нажав кнопку «Отправить».\r\nПосле получения 3-х  подтверждений мы начинаем расшифровку ваших файлов.\r\nВ течение от 5 минут до часа Ваши файлы будут расшифрованы автоматически,\r\nесли компьютер будет подключен к интернету.\r\nВ случае возникновения проблем с расшифровкой обратитесь по адресу:\r\nkenthottoren@gmail[.]com\r\nВ письме требуется указать Ваш IP-адрес и имя пользователя.\r\nЭту информацию можно посмотреть на сайте:\r\nhttp://2ip[.]ru\r\nНе пытайтесь восстановить данные с помощью антивирусных утилит, испортите все файлы.\r\nЕсли хотите попробывать, пробуйте на другом ПК и минимум файлов, иначе потом даже я не смогу\r\nпомочь.\r\nИ помните пожалуйста, что цена каждый день растет.\r\nP.S. Пишите четко, ясно, предельно понятно, учитывайте, что кроме Вас пишет много людей.\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 10 of 11\n\nВ диалоги не вступаю, работа по приницпу быстро заплатил, сразу получил.\r\nНе устраивает цена услуги, больше не пишите.\r\nПопытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.\r\nRansom note translation:\r\nAll the important files on your computer were encrypted.\r\nTo decrypt the files you should send $200 in Bitcoin to address written in form «Wallet ID».\r\nTo create your ouw wallet use trusted resource:\r\nhttps://blockchain.info/\r\nFor currency exchange you can use follow links:\r\nhttps://www.savechange[.]ru\r\nhttps://x-obmen[.]ru\r\nhttps://x-pay[.]cc\r\nhttps://kassa[.]cc\r\nAfter sucсessfull payment, paste the transaction number in «Transaction ID» and send it to us «Send».\r\nWithin 5 minutes to an hour after payment, all your files will be decrypted automatically, but required internet\r\naccess.\r\nIn case of problems, contact:\r\nkenthottoren@gmail[.]com\r\nWe cant help you without your IP address and username. So you should put this information in your e-mail.\r\nAll the attempts of decryption by yourself will result only in irrevocable loss of your data.\r\nQuickly paid/immediately received. Do not write to us if you do not like the price.\r\nWe do not bargain.\r\nAnd please remember that the price is growing every day.\r\nSource: https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nhttps://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware"
	],
	"report_names": [
		"philadelphia-ransomware-customization-commodity-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434711,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9468ed3c9493310eaa402451e41776435fc2a808.pdf",
		"text": "https://archive.orkl.eu/9468ed3c9493310eaa402451e41776435fc2a808.txt",
		"img": "https://archive.orkl.eu/9468ed3c9493310eaa402451e41776435fc2a808.jpg"
	}
}