Stampado ransomware was first spotted in the wild in July 2016, but new variants of the malware have been spawned capable of self propagating and re-encrypting files previously locked up by other ransomware, and all for a rock bottom price on the dark web.
A new study by Zscaler on Stampado found the ransomware selling for $39, which included a lifetime license, making it one of the least expensive pieces of malware available, wrote Atinderpal Singh, Zscaler's ThreatLabZ's analyst. For that low, low price a cybercriminal wannabe obtains the ability to encrypt files using more than 1,200 file extensions, threaten victims to have their encrypted files deleted if they refuse to pay up and remain a persistent threat.
The good news is the ransomware can be cleaned out and files recovered without having to pay the ransom.
Singh noted the ransomware normally infects a device either through a spam email or drive by download and once ensconced in a computer attempts to camouflage itself as genuine Windows process (svchost.exe). The malware can also replicate itself to network and removable drives and can encrypt files that were previously encrypted by a different ransomware attack.
“It drops a copy of itself at [DrivePath]myDiskdrivers.exe with file attributes set to +SHR to hide itself, creates file [DrivePath]autorun.inf and creates shortcut files with the names of existing files pointing to malware executable, after hiding the original files. This will cause the malware executable to run when the user clicks on any shortcut file,” Singh said.
The double encrypted files may prove problematical for the victim. Even though the Stampado ransomware can be removed the initial encryption may prove harder to eliminate. Singh said this double encryption happens because Stampado targets the same file types favored by other ransomware families, such as Locky, Cerber and cryptolocker.
Once the encryption process is complete a ransom note appears at least one false claim. It states that every six hours that passes without payment will result in some files being deleted. Singh said the malware cannot follow through on this threat, adding the ransomware attempt to delete all the encrypted files after 96 hours without payment.
“Fortunately, in the case of Stampado, it is relatively easy to recover your files. We advise you not to pay the ransom, as it is possible to decrypt your files without doing so,” Singh wrote.
To properly clean out a computer one must run the command (REG DELETE HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v "Windows Update"), then “Restart the system, run folowing command on command prompt to delete scvhost.exe from %AppData% folder and use the freely available decrypter by Fabian Wosar to decrypt your files.”