{
	"id": "4d524b91-f077-41b9-b18c-8eb03e0fb1c0",
	"created_at": "2026-04-06T00:21:28.231339Z",
	"updated_at": "2026-04-10T03:20:39.487913Z",
	"deleted_at": null,
	"sha1_hash": "d0ead92dc82cf2616459f756ccc08edb8bd4de72",
	"title": "The Philadelphia Ransomware offers a Mercy Button for Compassionate Criminals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1263289,
	"plain_text": "The Philadelphia Ransomware offers a Mercy Button for Compassionate\r\nCriminals\r\nBy Lawrence Abrams\r\nPublished: 2016-09-08 · Archived: 2026-04-05 19:18:47 UTC\r\nA new version of the Stampado ransomware called Philadelphia has started being sold for $400 USD by a malware\r\ndeveloper named The Rainmaker,  According to Rainmaker, Philadelphia is being sold as a low cost ransomware solution\r\nthat allows any wannabe criminal to get an advanced ransomware campaign up and running with little expense or\r\ncomplexity.\r\nOn closer look, though, the Philadelphia Ransomware is not as sophisticated as advertised.  As it is programmed in the\r\nAutoIT scripting language, it can be decompiled and analyzed for weaknesses. On closer inspection, Fabian Wosar of\r\nEmsisoft is confident that it can be decrypted.\r\nLock Screen\r\nI was first notified of this new version by a poster in the forums who claimed he was able to intercept communications\r\nbetween a person going by the handle of SkrillGuide2015 and the Philadelphia developer The Rainmaker. This conversation\r\nwas taking place on the AlphaBay Tor  criminal site, and shows Rainmaker explaining how he has started selling his new\r\nPhiladelphia ransomware project for $400 USD and that he plans on starting to distribute it today.  Rainmaker's goal was to\r\ninfect 20 thousand victims on his first day of distribution.\r\nAccording to Rainmaker, Philadelphia \"innovates\" the ransomware market with features such as autodetecting when a\r\npayment has been made and then automatically decrypting, infecting USB drives, and infecting other computers over the\r\nnetwork. Of particular note, is a Mercy Button that allows a compassionate criminal to automatically decrypt a particular\r\nvictim's files for free.  In order to demonstrate this new ransomware, Rainmaker has created a PDF showing its capabilities.\r\nhttps://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nThe advertised features are:\r\nEverything is customisable:\r\nYou can set the folders where the Ransomware will look for files as well as the depth/recursion level\r\nYou can set the extensions, you can enable, disable and define intervals for the deadline and the russian\r\nroulette (as well as editing how many files are deleted on every russian roulette interval and whether the\r\nfiles or the crypt key gets deleted once the deadline ends\r\nYou can edit file icon and Mutex\r\nYou can edit the UAC (user access control) in four available options: (1) do not ask for admin privilleges;\r\n(2) ask and insist until it is given; (3) ask but run anyway even if it is not given; (4) ask and give up if it is\r\nnot given\r\nYou can edit all the interface texts as well as add multiple languages to the same file (it will detect the\r\nmachine language and display the texts you edited for that locale or a default/fallback one)\r\nYou can enable or disable USB infect, network spread and Unkillable Process, as well as set the process\r\nname\r\nThe Philadelphia Headquarter is a software that works on your machine and allows you to generate unlimited\r\nbuilds, see the victims on a map and on a list (with country flags and all the data you need) and also a \"Give\r\nMercy\" button if you're too good 0:)\r\nBut the coolest Philadelphia feature (and what makes its maintenance so cheap) is that, instead of huge servers on\r\nour controls where you must pay high amounts monthly, we present you the \"Bridges\". Bridges are the way\r\nvictims and attacker enters in touch in a distributed network. It's simply a PHP script that uses itself as database\r\n(no MySQL or whatever needed, just PHP). Bridges store the clients keys, verifies payments and provide the\r\nvictims informations to the headquarters safely. And they can be hosted on nearly any server: even hacked servers,\r\nshared hosting (free hosting works but it is not recommended as they can delete your account if it's not a fully\r\nfunctional website), dedicated or VPS (recommended for bigger attacks, although the requests are small and are\r\nonly done a few times). As the bitcoin payment verification is done on the server side, by the bridge, there is no\r\nway to spoof it on the victim machine. Also, the distributed bridges network will grant a better anonimity.\r\nEverything very well documented on a plain-english help file!\r\nPrints: https://www.docdroid.net/vJV82cC/philadelphia-prints.pdf.html\r\nThough the bridges + headquarters client looks interesting, it has some serious flaws as described in the next section.\r\nTaking a Bridge to the Headquarters\r\nFor an attacker to setup a Philadelphia campaign, they need to install a PHP scripts called Bridges on web sites. These\r\nBridges will be connected to by the ransomware infection and will store the encryption key and information about the\r\nvictim. They are also used by the ransomware to check if a ransom payment has been made. \r\nThe attacker then runs a management client called the Philadelphia Headquarters on their machine, which will connect to\r\neach configured bridge and download the victim data to their management console. This client allows the attacker to see\r\nwho is infected, what countries have the most infections, and even offers a mercy button if a compassionate attacker wants\r\nto allow someone to decrypt their files for free.\r\nhttps://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/\r\nPage 3 of 7\n\nPhiladelphia Headquarters Management Console\r\nThere is a fundamental problem, though, with this Bridge implementation. Unless these bridges are stored on anonymous\r\nnetworks like TOR, they will most likely be discovered and taken down fairly quickly. As the addresses to these bridges are\r\nhard coded into the ransomware, once the bridge is disabled, a victim no longer has the ability to pay the ransom or decrypt\r\ntheir files.  For this implementation to really work, an attacker would need to setup bridges using Tor, which increases the\r\ncomplexity of the setup.\r\nAnother malware dev unhappy with Researcher Fabian Wosar\r\nThe first two versions of Stampado were able to be decrypted by Fabian Wosar of Emsisoft and it also appears that this\r\nnew Philadelphia variant is no exception. Like the Apocalypse Ransomware developer, Rainmaker has not taken kindly to\r\nFabian's attention as can be seen by a note left in the ransomware's AutoIT script.\r\nInsulting Fabian Wosar in the Code\r\nHow the Philadelphia Ransomware Encrypts a Victim's Files\r\nBased on images and a mailing list software found on one of the Bridges, I believe that this ransomware is\r\ndistributed through phishing emails that pretend to be an overdue payment notice from Brazil's Ministério da Fazenda, or the\r\nMinistry of Finance. You can see an example of the fake notice found on one of the Bridges below.\r\nhttps://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/\r\nPage 4 of 7\n\nSPAM Notice\r\nThese phishing emails most likely contain a link back to the top level folder of the Bridge, which contains a Java program\r\nthat automatically downloads and executes the installer for the Philadelphia ransomware. \r\nWhen the ransomware is started, it will load an embedded configuration file that contains directives as to how the\r\nransomware should encrypt a computer.  The ransomware currently being distributed will target fixed, removable,\r\nand network drives, and drive root folders. When encrypting files it will use a custom encryption algorithm and target the\r\nfollowing files:\r\n*.7z;*.asp;*.avi;*.bmp;*.cad;*.cdr;*.doc;*.docm;*.docx;*.gif;*.html;*.jpeg;*.jpg;*.mdb;*.mov;*.mp3;*.mp4;*.pdf;*.php;*.pp\r\nWhen a file is encrypted, its name will be scrambled and have the .locked extension appended to it. For example, test.jpg\r\nmay become 7B205C09B88C57ED8AB7C913263CCFBE296C8EA9938A.locked. \r\nWhen it is finished it will display the lock screen shown below.\r\nhttps://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/\r\nPage 5 of 7\n\nLock Screen\r\nLast, but not least, if Russian Roulette is enabled, a counter will begin and when it runs down to zero, a certain\r\npreconfigured amount of files will be deleted.\r\nAs already said, this ransomware is most likely decryptable for free. So if you are infected with Stampado, or this\r\nPhiladelphia variant, please do not pay the ransom. Instead, you should ask for help in our Stampado Ransomware Help \u0026\r\nSupport Topic.\r\nFiles associated with the Philadelphia Ransomware:\r\n%UserProfile%\\[random]\r\n%UserProfile%\\[random]\r\n%UserProfile%\\Isass.exe\r\nRegistry entries associated with the Philadelphia Ransomware:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update %UserProfile%\\Isass.exe\r\nNetwork Communication:\r\nhttp://sshtunnel.at\r\nIOCs:\r\nNov.peg - SHA256: 812ddd619e12fb2c90c8395fd02fe12638e997a29f86f7d39e42d50de832d4f0\r\nDownloader - SHA256: ea75b18697b819e6d1d159fc3a0477870f1be7e6ca498a67eb797a829a9b1d7d\r\nhttps://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/\r\nhttps://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/"
	],
	"report_names": [
		"the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals"
	],
	"threat_actors": [],
	"ts_created_at": 1775434888,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0ead92dc82cf2616459f756ccc08edb8bd4de72.pdf",
		"text": "https://archive.orkl.eu/d0ead92dc82cf2616459f756ccc08edb8bd4de72.txt",
		"img": "https://archive.orkl.eu/d0ead92dc82cf2616459f756ccc08edb8bd4de72.jpg"
	}
}