Philadelphia is not yet as dangerous as some of the big name ransomware types like Locky.
Philadelphia is not yet as dangerous as some of the big name ransomware types like Locky.

A cybercriminal going by the moniker The Rainmaker has updated the Stampedo ransomware to a new version dubbed Philadelphia and is now selling if for $400, but the good news is the malware is flawed.

Philadelphia is designed to let a wannabe ransomware criminal get into the game with just a small investment and a little knowledge, Bleeping Computers' founder, Lawrence Abrams. told SCMagazine.com in an email. Some of its features include automatically detecting when a ransom is paid and then decrypting the victim's files and the ability to spread to attached storage devices and networked computers, Adams said.

“The Philadelphia Headquarter is a software that works on your machine and allows you to generate unlimited builds, see the victims on a map and on a list (with country flags and all the data you need) and also a 'Give Mercy' button if you're too good 0:),” from The Rainmakers online ad for the ransomware.

However, for all the new bells and whistles and ease of use Adams pointed out that Philadelphia also has some notable issues. One of the flaws is also put forth as a feature. Instead of utilizing a command and control server set up it includes a PHP script, that Rainmaker calls Bridges, that connects the ransomware to a user interface and also store the decryption key.

“Yes, for the most part this is a not a well thought out ransomware," Abrams said. "It could change, though, if he used a strong encryption algorithm.”

The negative aspect of this, Abrams said, unless the Bridges are run on a Tor-like network they can be detected and taken down. The problem for the victims in these cases is that once the Bridge is removed the ransom cannot be paid nor the files decrypted.

But the biggest problem with Philadelphia is there is a decryptor available, as there was for the earlier Stampedo version.

The ransomware is spread in Brazil using overdue payment notices from that country's minister of finance as the social media hook. As far as its impact Abrams said it's too early to tell, but so far it ranks far below the big players such as Locky, CryMIC and Cerber.

Another odd addition to the ransomware is the “Mercy” button, which Abrams said is unique and something he has not seen before. It allows the criminal to decrypt the files for free if for some reason they have a change of heart.