Philadelphia Ransomware Remove It and Restore Your Files - How to, Technology and PC Security Forum |

Philadelphia Ransomware Remove It and Restore Your Files

philadelphia-ransomware-main-sensorstechforumA new variant of the Stampado ransomware – the Philadephia virus has been released to the public using the .locked file extension. The virus has been sold in the deep web markets as an inexpensive virus that can encrypt the files of the victims and make them pay a ransom money to get them back. Anyone who has access to the deep web forums can have the Philadelphia ransomware for just 400$. THis low-cost makes ransomware even more accessible to anyone who wants to extort users for their files. The “sales page” of the virus advertises it as a sophisticated threat, but malware researchers feel convinced that it is not as unbeatable as it looks like. This is why anyone who has been infected by this virus are strongly advised to remove it using the instructions in this article and wait for a decrypter to be released while trying alternative file restoration methods.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsPhiladelphia Ransomware leaves a ransom note and may delete random files from your computer if the terms in the note are not met. Changed file names and the various file extensions may be used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Philadelphia


Malware Removal Tool

User ExperienceJoin our forum to Discuss Philadelphia Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Philadelphia Ransomware – Distribution Methods

Researchers at Bleeping Computer have reported that the virus is being sold in deep web forums, and it’s creator The Rainmaker has begun to distribute it and infect over 20 thousand victims in the frame of the first day his campaigns starts. This points out possibly to very massive spam campaigns that aim to redistribute the malicious files of Philadelphia ransomware. One spam campaign has reported redistributing a fake notice from Brazil’s Ministry of Finance:


The fake notice was accompanied by a web link or a javascript that aims to automatically connect to the malicious server of the crook controlling the virus and download Philadelphia to infect the user PC and encrypt the files. This technique is called a drive-by download because the malicious executable of Philadelphia virus Is automatically executed as soon as It has been downloaded.

Philadephia Virus – In-Depth Analysis

As soon as this malware is executed on the victim’s computer, it may immediately drop it’s malicious files and automatically execute them. It leaves two randomly named and one executable directly on the User’s profile folder:

  • C:/Users/{UserProfile}/{random name}
  • C:/Users/{UserProfile}/{random name}
  • C:/Users/{UserProfile}/Isass.exe

The virus also simultaneously modifies the Windows Update registry key to run the executable via the update service:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update

Then Philadelphia may begin to encrypt the victim PC’s files, without the user even batting an eye. The Philadelphia virus may use different ciphers on different types of files, but by default it is reported to encrypt the following types of files:

→ .7z;.asp;.avi;.bmp;.cad;.cdr;.doc;.docm;.docx;.gif;.html;.jpeg;.jpg;.mdb;.mov;.mp3;.mp4;.pdf;.php;.ppt;.pptx;.rar;.rtf;.sql;.str;.tiff;.txt;.wallet;.wma;.wmv;.xls;.xlsx;.zip

After encryption, the files can no longer be opened by any type of software. The files have completely random names, and the .locked file extension is added, for example:


The encryption which may be used by this ransomware, is believed by the EmsiSoft researcher Fabian Wosar to be a strong one, but the virus itself may be coded poorly and be relatively easy to create a decrypter for it.

After encrypting the files, the Philadelphia ransomware also aims to perform various other activities, like drop a ransom note to notify the user of the situation presented before him/her. The ransom note has the following content:

→“All your files have been encrypted!
All your documents (databases, texts, images, videos, musics, etc.) were encrypted. The encryption was done using a secret key that is now on our servers. To ecrypt your files, you will need to buy the secret key from us. We are the only on the world who can provide this for you.
What can I do?
Pay the ransom, in bitcoins, in the amount and wallet below. You can use to buy bitcoins.”

In addition to this, the Philadelphia ransomware also includes a so-called “Russian roulette” mechanism that deletes a random file on the computer of the user on a random time period if the ransom amount requested is not paid in BitCoins. The ransom amount required by default is 0.3 BTC, but it may vary since the virus is sold to anyone who has 400$.

Other features of the Philadelphia virus include a so-called “Philadelphia Headquarter” which is a PHP-based user interface that detects all of the infected machines with their IP addresses, their operating systems, and their unique ID. It also allows management tools, like tracking the device on Google Maps, checks if the ransom is paid, see detailed information as well as show the private password for decrypting the files. The interesting interface even has a “Give Mercy” button that decrypts the files for free:


Remove Philadelphia Ransomware and Restore .locked Files

To restore the files enciphered by Philadelphia ransomware, you should first delete the virus from your computer. To perform this removal process , please follow the manual underneath. They are carefully designed to remove the virus so that no harm comes to the files. For better effectiveness, malware researchers also strongly recommend that an advanced anti-malware software should be used since it should make sure that the Philadelphia virus is fully removed, and the computer is protected in the future as well.

To directly decrypt your files, we suggest following this article since we expect a decryptor to be released soon, by EmsiSoft. In the meantime, you may want to try the decryption instructions posted after this article in step 3 – “Restore files encrypted by Philadelphia”. They may not be 100 percent effective, but they are a good temporary substitute while we update this article with a download URL for a decrypter.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share