Decrypt Files Encrypted by Pink Philadelphia Virus - How to, Technology and PC Security Forum | SensorsTechForum.com

Decrypt Files Encrypted by Pink Philadelphia Virus

This article is created to help you remove the Pink Philadelphia “YOU HAVE BEEN EXPOSED!” virus and decrypt encrypted files for free.

A ransomware virus part of the Philadelphia viruses which are believed to be part of the Stampado viruses has been detected in the wild. The virus encrypts the files on the compromised computers by it after which uses a pink ransom note in which it notifies the user he or she is accused of watching illegal porn. The virus then demands 0.05 BTC to be paid to a custom BitCoin wallet and gives a 3 day deadline with a Russian roulette function deleting a random file every 3 hours. The good news is that this virus is decryptable and If you have been infected read this article to learn how to restore your encrypted files for free.

Pink Philadelphia Ransomware – More Information

Pink Philadelphia’s Distribution

Similar to Philadelphia ransomware’s original variant, this virus variant is also believed to be redistributed via fake letters attached to e-mails which are latter sent to users on a massive scale. One of those letters was the fake notice from Brazil’s finance ministry:

The fake notice may be accompanied by a JavaScript which is obfuscated and will connect to a command and control server after which download Pink Philadelphia’s malicious payload on the user’s computer.

Pink Philadelphia Virus – Malicious Activity Post-Infection

After an infection is complete, the Pink Philadelphia virus may drop the malicious files on multiple different folders, Some of the files have been identified to have random names and be executable type of files, located in:

→ C:/Users/{UserProfile}/{random name}

Then, the Pink Philadelphia virus may begin to create multiple different modified Windows registry value strings. One of the targeted Windows registry sub-keys is reported to be the following:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update

Then, the virus may begin to encrypt important files on the infected computer, making them no longer able to be opened. It is most likely pre-configured to encrypt files with the following file extensions:

→ .7z;.asp;.avi;.bmp;.cad;.cdr;.doc;.docm;.docx;.gif;.html;.jpeg;.jpg;.mdb;.mov;.mp3;.mp4;.pdf;.php;.ppt;.pptx;.rar;.rtf;.sql;.str;.tiff;.txt;.wallet;.wma;.wmv;.xls;.xlsx;.zip

Then, the virus drops it’s ransom note, which has the following content:

“YOU HAVE BEEN EXPOSED!
NOW listen to me,
I do not want to remind you of the moral or legal implications of unauthorized access to private information ,
like nude pics or downloading pornographic materials stolen from innocent people.
Read more about it under internet laws 18 U.S.C. 2257.
Encrypting your personal files is one step to proof that to you what will happen if you do not adhere to our advice.
Next line of action, We will delete 1 file every 3 hours from your PC.
Then, after 72 hours we will delete all of your files COMPLETELY including system and program files which we have already infected.
Your ransom fee is 49 USD, pay this and walk away unharmed forever. The two choices you have is to either pay the ransom or say goodbye to your current PC and all of your personal files that we have encrypted.
You will agree with me that 49USD is not an excessive outlay compared to the worth or value of your PC.
You can try to reformat your hard disk, but your machine ID is locked in your bios.
This means our malware on your PC will infect your new hard disk once again, when it’s plugged in.
Considering the pain of the victims of this iCloud hack, this ransom attack can serve as a therapy or lesson for you to get off the nudity/pornography habit.
So, if you don’t know where to buy Bitcoin, ask Google. If you care about buying bitcoin anonymously then ASK GOOGLE.
All the people on your contact list and server will get a notification that you have tried to access nude pics/porn, hence an Invitation to their mailbox.
Do not contact us if you are not paying; just throw your PC to the trash bin if you are not willing to pay the 49usd.
I hope this kind of therapy will teach you a lesson.
//PurplePR – Anti-theft Team (C)s.”

Fortunately there is a decryptor developed by Emsisoft and we have created the instructions on how to remove the virus and how to decrypt files encrypted by Pink Philadelphia.

Philadelphia Ransomware – Removal and Decryption Instructions

Before deciphering your files with the tool, created by Fabian Wosar, a researcher from EmsiSoft, we strongly recommend removing Philadelphia first. One way to do this is by following these removal instructions

Manually delete Pink Philadelphia from your computer

Note! Substantial notification about the Pink Philadelphia threat: Manual removal of Pink Philadelphia requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Pink Philadelphia files and objects.
2. Find malicious files created by Pink Philadelphia on your PC.
3. Fix registry entries created by Pink Philadelphia on your PC.

Automatically remove Pink Philadelphia by downloading an advanced anti-malware program

1. Remove Pink Philadelphia with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Pink Philadelphia in the future

After you have removed Philadelphia ransomware, you might as well begin decrypting files. To do this follow the below-mentioned steps:

Step 1: Download Stampado Decrypter. Being a variant of the Stampado viruses, Philadelphia can be decrypted with EmsiSoft’s Stampado Decrypter. To download it for free, click on the button below and save it:

Download

Stampado Decrypter

1-stampado-philadelphia-ransomware-decrypt-save-as-sensorstechforum

Step 2: Open the decrypter and choose which files to be decrypted. This can happen by either choosing the volumes on your hard drive (C:\; D:\) or by clicking on the Add Folder button to add your important folders so that the process is faster.

philadelphia-stampado-ransomware-decrypt-sensorstechforum

3-philadelphia-stampado-e-mail-id-sensorstechforum

Step 3: Click on Decrypt and enter the e-mail address and your Identification number from your ransomware virus to help the decrypter set the variant and the decryption key for Philadelphia ransomware. After this is done, go back to the “Decrypter” tab and repeat the same process to start decrypting files.

Be patient, decryption may take some time. After every file is decrypted, you should see information about it on the decrypter.

Philadelphia Decryptor – Conclusion

After decrypting your files make sure you save them on an external drive and make more than one backup. For more professional approach on how to store your data safely, please check the following article:

Related Article: Safely Store Your Important Files and Protect Them From Malware

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.