Decrypt Files Encrypted by Pink Philadelphia Virus - How to, Technology and PC Security Forum |

Decrypt Files Encrypted by Pink Philadelphia Virus

This article is created to help you remove the Pink Philadelphia “YOU HAVE BEEN EXPOSED!” virus and decrypt encrypted files for free.

A ransomware virus part of the Philadelphia viruses which are believed to be part of the Stampado viruses has been detected in the wild. The virus encrypts the files on the compromised computers by it after which uses a pink ransom note in which it notifies the user he or she is accused of watching illegal porn. The virus then demands 0.05 BTC to be paid to a custom BitCoin wallet and gives a 3 day deadline with a Russian roulette function deleting a random file every 3 hours. The good news is that this virus is decryptable and If you have been infected read this article to learn how to restore your encrypted files for free.

Pink Philadelphia Ransomware – More Information

Pink Philadelphia’s Distribution

Similar to Philadelphia ransomware’s original variant, this virus variant is also believed to be redistributed via fake letters attached to e-mails which are latter sent to users on a massive scale. One of those letters was the fake notice from Brazil’s finance ministry:

The fake notice may be accompanied by a JavaScript which is obfuscated and will connect to a command and control server after which download Pink Philadelphia’s malicious payload on the user’s computer.

Pink Philadelphia Virus – Malicious Activity Post-Infection

After an infection is complete, the Pink Philadelphia virus may drop the malicious files on multiple different folders, Some of the files have been identified to have random names and be executable type of files, located in:

→ C:/Users/{UserProfile}/{random name}

Then, the Pink Philadelphia virus may begin to create multiple different modified Windows registry value strings. One of the targeted Windows registry sub-keys is reported to be the following:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update

Then, the virus may begin to encrypt important files on the infected computer, making them no longer able to be opened. It is most likely pre-configured to encrypt files with the following file extensions:

→ .7z;.asp;.avi;.bmp;.cad;.cdr;.doc;.docm;.docx;.gif;.html;.jpeg;.jpg;.mdb;.mov;.mp3;.mp4;.pdf;.php;.ppt;.pptx;.rar;.rtf;.sql;.str;.tiff;.txt;.wallet;.wma;.wmv;.xls;.xlsx;.zip

Then, the virus drops it’s ransom note, which has the following content:

NOW listen to me,
I do not want to remind you of the moral or legal implications of unauthorized access to private information ,
like nude pics or downloading pornographic materials stolen from innocent people.
Read more about it under internet laws 18 U.S.C. 2257.
Encrypting your personal files is one step to proof that to you what will happen if you do not adhere to our advice.
Next line of action, We will delete 1 file every 3 hours from your PC.
Then, after 72 hours we will delete all of your files COMPLETELY including system and program files which we have already infected.
Your ransom fee is 49 USD, pay this and walk away unharmed forever. The two choices you have is to either pay the ransom or say goodbye to your current PC and all of your personal files that we have encrypted.
You will agree with me that 49USD is not an excessive outlay compared to the worth or value of your PC.
You can try to reformat your hard disk, but your machine ID is locked in your bios.
This means our malware on your PC will infect your new hard disk once again, when it’s plugged in.
Considering the pain of the victims of this iCloud hack, this ransom attack can serve as a therapy or lesson for you to get off the nudity/pornography habit.
So, if you don’t know where to buy Bitcoin, ask Google. If you care about buying bitcoin anonymously then ASK GOOGLE.
All the people on your contact list and server will get a notification that you have tried to access nude pics/porn, hence an Invitation to their mailbox.
Do not contact us if you are not paying; just throw your PC to the trash bin if you are not willing to pay the 49usd.
I hope this kind of therapy will teach you a lesson.
//PurplePR – Anti-theft Team (C)s.”

Fortunately there is a decryptor developed by Emsisoft and we have created the instructions on how to remove the virus and how to decrypt files encrypted by Pink Philadelphia.

Philadelphia Ransomware – Removal and Decryption Instructions

Before deciphering your files with the tool, created by Fabian Wosar, a researcher from EmsiSoft, we strongly recommend removing Philadelphia first. One way to do this is by following these removal instructions


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share