Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Philadelphia Ransomware Remove It and Restore Your Files

philadelphia-ransomware-main-sensorstechforumA new variant of the Stampado ransomware – the Philadephia virus has been released to the public using the .locked file extension. The virus has been sold in the deep web markets as an inexpensive virus that can encrypt the files of the victims and make them pay a ransom money to get them back. Anyone who has access to the deep web forums can have the Philadelphia ransomware for just 400$. THis low-cost makes ransomware even more accessible to anyone who wants to extort users for their files. The “sales page” of the virus advertises it as a sophisticated threat, but malware researchers feel convinced that it is not as unbeatable as it looks like. This is why anyone who has been infected by this virus are strongly advised to remove it using the instructions in this article and wait for a decrypter to be released while trying alternative file restoration methods.

Threat Summary



Type Ransomware
Short Description The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms Philadelphia Ransomware leaves a ransom note and may delete random files from your computer if the terms in the note are not met. Changed file names and the various file extensions may be used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Philadelphia


Malware Removal Tool

User Experience Join our forum to Discuss Philadelphia Ransomware.

Philadelphia Ransomware – Distribution Methods

Researchers at Bleeping Computer have reported that the virus is being sold in deep web forums, and it’s creator The Rainmaker has begun to distribute it and infect over 20 thousand victims in the frame of the first day his campaigns starts. This points out possibly to very massive spam campaigns that aim to redistribute the malicious files of Philadelphia ransomware. One spam campaign has reported redistributing a fake notice from Brazil’s Ministry of Finance:


The fake notice was accompanied by a web link or a javascript that aims to automatically connect to the malicious server of the crook controlling the virus and download Philadelphia to infect the user PC and encrypt the files. This technique is called a drive-by download because the malicious executable of Philadelphia virus Is automatically executed as soon as It has been downloaded.

Philadephia Virus – In-Depth Analysis

As soon as this malware is executed on the victim’s computer, it may immediately drop it’s malicious files and automatically execute them. It leaves two randomly named and one executable directly on the User’s profile folder:

  • C:/Users/{UserProfile}/{random name}
  • C:/Users/{UserProfile}/{random name}
  • C:/Users/{UserProfile}/Isass.exe

The virus also simultaneously modifies the Windows Update registry key to run the executable via the update service:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update

Then Philadelphia may begin to encrypt the victim PC’s files, without the user even batting an eye. The Philadelphia virus may use different ciphers on different types of files, but by default it is reported to encrypt the following types of files:

→ .7z;.asp;.avi;.bmp;.cad;.cdr;.doc;.docm;.docx;.gif;.html;.jpeg;.jpg;.mdb;.mov;.mp3;.mp4;.pdf;.php;.ppt;.pptx;.rar;.rtf;.sql;.str;.tiff;.txt;.wallet;.wma;.wmv;.xls;.xlsx;.zip

After encryption, the files can no longer be opened by any type of software. The files have completely random names, and the .locked file extension is added, for example:


The encryption which may be used by this ransomware, is believed by the EmsiSoft researcher Fabian Wosar to be a strong one, but the virus itself may be coded poorly and be relatively easy to create a decrypter for it.

After encrypting the files, the Philadelphia ransomware also aims to perform various other activities, like drop a ransom note to notify the user of the situation presented before him/her. The ransom note has the following content:

→“All your files have been encrypted!
All your documents (databases, texts, images, videos, musics, etc.) were encrypted. The encryption was done using a secret key that is now on our servers. To ecrypt your files, you will need to buy the secret key from us. We are the only on the world who can provide this for you.
What can I do?
Pay the ransom, in bitcoins, in the amount and wallet below. You can use LocalBitcoins.com to buy bitcoins.”

In addition to this, the Philadelphia ransomware also includes a so-called “Russian roulette” mechanism that deletes a random file on the computer of the user on a random time period if the ransom amount requested is not paid in BitCoins. The ransom amount required by default is 0.3 BTC, but it may vary since the virus is sold to anyone who has 400$.

Other features of the Philadelphia virus include a so-called “Philadelphia Headquarter” which is a PHP-based user interface that detects all of the infected machines with their IP addresses, their operating systems, and their unique ID. It also allows management tools, like tracking the device on Google Maps, checks if the ransom is paid, see detailed information as well as show the private password for decrypting the files. The interesting interface even has a “Give Mercy” button that decrypts the files for free:


Remove Philadelphia Ransomware and Restore .locked Files

To restore the files enciphered by Philadelphia ransomware, you should first delete the virus from your computer. To perform this removal process , please follow the manual underneath. They are carefully designed to remove the virus so that no harm comes to the files. For better effectiveness, malware researchers also strongly recommend that an advanced anti-malware software should be used since it should make sure that the Philadelphia virus is fully removed, and the computer is protected in the future as well.

To directly decrypt your files, we suggest following this article since we expect a decryptor to be released soon, by EmsiSoft. In the meantime, you may want to try the decryption instructions posted after this article in step 3 – “Restore files encrypted by Philadelphia”. They may not be 100 percent effective, but they are a good temporary substitute while we update this article with a download URL for a decrypter.

Manually delete Philadelphia from your computer

Note! Substantial notification about the Philadelphia threat: Manual removal of Philadelphia requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Philadelphia files and objects.
2. Find malicious files created by Philadelphia on your PC.
3. Fix registry entries created by Philadelphia on your PC.

Automatically remove Philadelphia by downloading an advanced anti-malware program

1. Remove Philadelphia with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Philadelphia in the future
3. Restore files encrypted by Philadelphia
Optional: Using Alternative Anti-Malware Tools

How to Find Decryption Key for Files Encrypted By Philadelphia Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.