Image

Image

"Bridges are the way victims and attacker enters in touch in a distributed network. It's simply a PHP script that uses itself as database (no MySQL or whatever needed, just PHP). Bridges store the clients keys, verifies payments and provide the victims informations to the headquarters safely. And they can be hosted on nearly any server: even hacked servers, shared hosting (free hosting works but it is not recommended as they can delete your account if it's not a fully functional website), dedicated or VPS (recommended for bigger attacks, although the requests are small and are only done a few times). As the bitcoin payment verification is done on the server side, by the bridge, there is no way to spoof it on the victim machine. Also, the distributed bridges network will grant a better anonimity."To infect a user, someone who purchases a license to Philadelphia for 400 USD must install PHP scripts for the Bridges on their attack websites. At the same time, they need to install Philadelphia Headquarters onto their machine. That control panel allows them to communicate with each Bridge, which gathers information about each victim and stores the encryption key. Philadelphia Headquarters also comes with a "Give Mercy" button, which allows attackers to decrypt a specified user's files for free.
Image

"Unless these bridges are stored on anonymous networks like TOR, they will most likely be discovered and taken down fairly quickly. As the addresses to these bridges are hard coded into the ransomware, once the bridge is disabled, a victim no longer has the ability to pay the ransom or decrypt their files. For this implementation to really work, an attacker would need to setup bridges using Tor, which increases the complexity of the setup."Like other crypto-ransomware currently in circulation, Philadelphia targets removable drives and encrypts files based upon a list of approved file types before it loads up its ransom message:
Image
