Stampado Ransomware Self-Propagates Across Your Network And USB Drives Encrypting Your Files

A cloud security outfit is warning that a new ransomware strain called Stampado has emerged from the underground market and is wreaking havoc on systems. What makes Stampado stand out from the crowd is that it is available on the dark web for only $39 with a full lifetime license. That makes it one of the least expensive and most accessible ransomware strains out there.

Don't be fooled by Stampado's low price tag, the ransomware strain is capable of doing big time damage. As is often the case with malware, Stamapado typically arrives on system through spam emails or drive by downloads. It installs itself in the %AppData% folder under the name scvhost.exe, a slight deviation on a genuine Windows process named svchost.exe, and creates a registry entry to load automatically.

Keyboard and Keys

Once Stampado finds its way onto a system, it's then capable of self-propagating and spreading in a worm-like fashion to other PCs on the same network. It also can make a copy of itself on removable drives and spread that way. Once a drive is plugged into an infected PC, it jumps on board immediately.

Stampado seeks out over 12,000 file extensions to target files for encryption. Once it does that, the victim is alerted that a randomly selected file will be deleted every six hours until the ransom is paid. If no payment is made within 96 hours, it deletes all files. These time limits create a sense of urgency among victims.

The situation is even worse for folks who already fell prey to another ransomware strain. In such cases, Stampado will go ahead and encrypt the files a second time, which means the victim has to pay two ransoms to restore their files back to the original state.

The good news here is that Stampado has already been cracked, so to speak. Anyone who finds themselves infected with Stampado will want to kill the process, remove the autostart entries from the system registry, delete scvhost.exe from the $AppData% folder (requires a command prompt), and run the freely available decrypter program from Emsisoft to to decrypt the files.

Via:  Zscaler
Show comments blog comments powered by Disqus