Austrian police bust the distributor of Philadelphia ransomware

Austrian police recently arrested and interrogated a 19-year old man from Linz[1], who is suspected of distributing Philadelphia ransomware virus[2]. The investigation was launched in September 2016 after several Upper Austrian companies fell victims to Philadelphia virus attack. One of the companies claims that the attacker urged to pay a ransom worth $400. However, the company refused to obey this order and chose to restore files from an older backup. It also filled out a criminal complaint with Austrian Federal Criminal Police Office, stating that the attack caused production losses worth of €3,000. Austrian police arrest a 19-year-old Philadelphia distributor

The Federal Criminal Police Office has set up a special commission – SOKO Clavis at the Cybercrime Competence Center to investigate ransomware cases[3]. SOKO Clavis currently has four employees in Austria, who take care of ransomware cases in Austria. Reportedly, the organization handles more or less 20 new cases per week. An investigation regarding this case led to a 19-year old teenager who used to live in Upper Austria, Linz and moved to Vienna later on. Police raided both apartments, and both of them provided physical evidence – computers and data storage mediums. The ongoing research reveals that the suspect had Philadelphia Headquarter software[4] installed on several computers, and although it hasn’t been confirmed officially, it is believed that further investigations can lead the investigators to a map of infected targets. Despite the evidence found on his computers, the young suspect denied accusations. After interrogation, he was released.

Philadelphia ransomware is known to be sold on the dark web forums, so experts believe that is how the suspect got his hands on this virtual extortion tool. Philadelphia, which is based on the infamous Stampado ransomware[5], can be purchased for approximately $400 and customized according to criminal’s needs. It provides a very user-friendly interface that allows one to customize a variety of options, including the text of the ransom note, extensions that will be added to encrypted files and enable/disable Russian Roulette, which can delete the desired amount of random user’s files in defined intervals. Despite that the virus’ customization panel provides a lot of options and Philadelphia virus seems to be polished to perfection and ready for distribution on a global scale, experts say that it is not as sophisticated as it looks like. A researcher from Emsisoft has already analyzed this ransomware and created Philadelphia decrypter, so victims attacked by Philadelphia ransomware should remove the virus and use the free decryption software instead of opening their wallets.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions