Amateur cybercriminals may be shifting towards targeting the healthcare sector using an off-the-shelf ransomware, according to security researchers at Forcepoint Security Labs.
Forcepoint is an Austin, Texas-based cybersecurity software company and Roland Dela Paz, a senior security researcher at the company, detailed in a blog post that Forcepoint Security Labs has identified a ransomware-as-a-service (RaaS) platform, called Philadelphia, used in a cyber attack on a healthcare organization.
“In that attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file,” Dela Paz wrote.
He noted that the document contained the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization. Three document icons pertaining to patient information also were present in the file and, when the user double-clicks, a malicious Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.
“Believed to be a new version of the Stampado ransomware, Philadelphia is an unsophisticated ransomware kit sold for a few hundred dollars to anyone who can afford it. Recently, a video advertisement of Philadelphia surfaced on Youtube,” he wrote.
Dela Paz further wrote in the blog post, “A few things in the malware captured our interest. Aside from the tailored bait against a specific healthcare organization, the encrypted JavaScript above contained a string “hospitalspam” in its directory path. Likewise, the ransomware C2 also contained “hospital/spam” in its path. Such wordings would imply that this is not an isolated case; but that the actor behind the campaign is specifically targeting hospitals using spam (spear phishing emails) as a distribution method.”
He also noted that ransomware-as-a-service platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business. And, while this example represents only one healthcare organization that was targeted, the researcher noted that it could signify the beginning of a trend with smaller ransomware operators, using RaaS platforms, aiming for the healthcare sector, “ultimately leading to even bigger and diversified ransomware attacks” against the sector, he wrote.