Philadelphia is the second ransomware-as-a-service (RaaS) created by The Rainmaker. The first was its predecessor, Stampado. Oddly enough, the first mentions of Philadelphia come from a Bleeping Computer forum post by Arslan0708 on September 7, 2016. Arslan0708 allegedly hacked a user on Alphabay and caught a conversation from The Rainmaker to SkrillGuide2015. In these conversations, The Rainmaker states they will begin selling the Philadelphia RaaS kit "tomorrow" (September 8, 2016). Thus, the first time this ransomware was seen was in September 2016.
The Rainmaker distributed a lot of content to sell its $389 RaaS software written in AutoIT. There was a YouTube video and official PowerPoint presentation slides to advertise its features. Features that allowed for customization of the ransomware include the color of the ransom note, folder encryption location, user access controls, mutexes, a custom BTC wallet, and more.
This ransomware uses the extortion types "Give Mercy" and "Data Russian Roulette." The Russian Roulette extortion type allows operators to delete a random amount of data from the victim's machine after the timer expires, and, as you may have guessed, giving mercy is providing the victim decryption keys without payment. Philadelphia was popular enough for APTs such as TA505 to acquire a license and use it against more victims worldwide. The smallest extortion seen in the wild was 0.5 BTC, and the largest was 15 BTC.
Ransom note pictures derived from The Crypto-Ransomware Digest and Proofpoint.
