Philadelphia Ransomware

What is Philadelphia Ransomware?

Philadelphia Ransomware is a unique application because it is sold as Ransomware as a Service (RaaS) which means that anyone can get it. In this article, we will show you how you can remove it from your PC. Not only that, but we will also discuss its distribution methods and functionality. There is a lot of information to cover, and we will present it in simple terms to allow our non-tech-savvy users to fully understand the threat that this ransomware can pose to a computer’s security.test

Where does Philadelphia Ransomware come from?

For once, we have the luxury of knowing who created this ransomware. Its developer is known as Rainmaker. This alias is widely known among cyber security experts as this same developer has also released another nearly identical application called Stampado Ransomware not so long ago. Philadelphia Ransomware is a Ransomware as a Service-type application which means that its developer sells it to whoever is interested in buying it. Research has shown that this developer wants 400 USD from would-be cybercriminals.

Cyber security experts at have received information claiming that this particular ransomware is being distributed using phishing emails. These emails are said to masquerade as overdue payment notice from none other than Brazil’s Ministry of Finance. Hence, the notice is in Portuguese, so if you get an email like this, then rest assured that someone is trying to get your computer infected with ransomware. The email contains a link that features a malicious Java program that automatically downloads the ransomware once it has been clicked.

How does Philadelphia Ransomware work?

Once on your computer it will start running and scan it for fixed, removable, network drives and drive root folders and encrypt file formats such as .doc, .docm, .docx, .gif, .html, .jpeg, .jpg, and so on. Nevertheless, depending on the person to whom this ransomware has been sold, he or she can customize it and select or deselect certain locations and file types to encrypt. Also, the “clients” have the ability to define the intervals for the payment deadline and the “Russian roulette,” a cycle with intervals when a random set of files is deleted if the ransom is not paid. Furthermore, they can also edit the UAC (user access control,) and edit all the interface texts, among other things. To put it simply — the developer allows the clients to make many changes to this ransomware. There is even a "Give Mercy” button that the client can enable and decrypt files for selected people for free.

It appears that this ransomware is set to ask the victims to pay 0.3 BTC or 181.15 USD for the files to be decrypted. Philadelphia Ransomware has a unique feature called a “Bridge” which is a PHP script. The bridge is set to store client keys and verify payments and provide the victims with information. The payment verification is automatic, so there no need for the client to issue the decryption keys manually as this ransomware is configured to send the key automatically once the payment is made. Thankfully, the bridges have to be stored on a server, and if that server is not a TOR server, then the bridge will be disabled quite soon, and setting up a reliable TOR-based server is a more difficult task. Furthermore, Philadelphia Ransomware was programmed in the AutoIT scripting language, so it can be easily analyzed for weaknesses. Therefore, a free decryption tool may soon be on the way.

How to remove Philadelphia Ransomware

If you want to get rid of this malicious application, then we recommend opting for an anti-malware program such as SpyHunter because Philadelphia Ransomware can be a problem to delete manually. Still, we have composed of a manual removal guide for those of you who do not want to use an anti-malware tool. Once you have gotten rid of this application and you do not have to worry about it deleting your files when you fail to meet the payment deadline, you can start looking for a decryption tool.

Removal Instructions

  1. Hold down Windows+E keys.
  2. Enter C:\Users\{user name}\AppData\Roaming in the address bar.
  3. Find lsas.exe and delete it.
  4. Close the file Explorer window.
  5. Empty the Recycle Bin.
  6. Then, hold down Windows+R keys.
  7. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  8. Find a string named Windows Update with Value data of %UserProfile%\Isass.exe
  9. Right-click it and click delete.
100% FREE spyware scan and
tested removal of Philadelphia Ransomware*

Leave a Comment

Enter the numbers in the box to the right *