Stampado targets Windows OS and is currently being marketed to potential attackers as a “Ransomware-as-a-Service” opportunity on the Dark Web. The developers of this ransomware kit are selling lifetime licenses for $39 USD each and offering customers the ability to customize various elements of the malware. Stampado allows malicious files to be sent to victims in one of the following file formats: .exe, .bat, .dll, .scr, and .cmd. According to the developers’ video demonstration, Stampado does not require administrator privileges to run on victims’ machines, appends .locked to encrypted files, and gives victims 96 hours to pay the ransom before permanently deleting the decryption key. The ransom note displays two countdown timers – one displaying the amount of time remaining until the decryption key is deleted and one showing the “Next Russian Roulette file deletion” when the malware will randomly delete one file for every six hours the ransom goes unpaid.

UPDATE 9/2/2016: A new version of Stampado discovered by Emsisoft encrypts the files names of encrypted files, changing them to hex characters and appending the extension .locked to the new file name.

UPDATE 9/8/2016: Philadelphia Ransomware, a new version of Stampado, is now for sale on a dark web marketplace for $400 USD. It includes a fully customizable build, allowing attackers to create unique extensions to append to encrypted files, determine which folders will be searched for targeted file types, change the appearance of the file icon, edit the interface text, and add multiple languages. Other features include automatically detecting when a ransom payment has been made, displaying text in the appropriate language based on the victim’s system, User Access Control manipulation, and spreading the infection via connected USB drives and other computers residing on the network. The most unique feature is the inclusion of a “Mercy Button” to allow attackers to decrypt their victims’ files for free. A PHP script called “Bridges” is required for setup and Philadelphia Ransomware provides a client interface that allows attackers to manage multiple infections and encryption keys from their own systems.

UPDATE: 9/15/2016: Stampado now encrypts files that have already been encrypted by other ransomware variants, resulting in multiple layers of encryption. The tool listed below decrypts this version.

UPDATE 4/6/2017: Austrian police arrested a 19-year-old teenager from Linz, Austria for infecting a local company with Philadelphia version of Stampado ransomware. Police believe the suspect purchased the Philadelphia ransomware creation kit from a seller on the dark web.

UPDATE 5/9/2017: Cybersecurity firm, ClearSky, encountered what they call a "very aggressive jabber spam campaign" that was openly advertising the Philadelphia ransomware kit. The URL listed in the spam leads to a website that also advertises the sale of Stampado ransomware, along with the following tools:

  • CyanoBinder - software that combines multiple files into one executable file
  • SkypeBomber - a tool that allows users to conduct Telephony Denial-of-Service (TDoS) attacks through Skype
  • V-Eye - a remote access trojan (RAT) that includes a keylogger and allows users to control a target system's webcam and mouse
  • RemoTV - software that bundles and opens a modified TeamViewer application on a target system and sends the login credentials back to the user
  • Mailer - a PHP script used for email spamming

Initial campaigns led security researchers to believe that Stampado's author was located in Russia. However, after additional research, ClearSky believes the person or people behind this campaign are based in Brazil.

UPDATE 5/13/2017: A new version of Stampado, dubbed Zelta, appends .locked to the names of encrypted files.

  • Heimdal Security provides more information about Stampado here.
  • Emsisoft provides a free decryption tool for Stampado, available here.
  • Emsisoft provides a free decryption tool for Philadelphia Ransomware, available here.

One example of the Stampado variant. Image Source: Heimdal Security