Stampado targets Windows OS and is currently being marketed to potential attackers as a “Ransomware-as-a-Service” opportunity on the Dark Web. The developers of this ransomware kit are selling lifetime licenses for $39 USD each and offering customers the ability to customize various elements of the malware. Stampado allows malicious files to be sent to victims in one of the following file formats: .exe, .bat, .dll, .scr, and .cmd. According to the developers’ video demonstration, Stampado does not require administrator privileges to run on victims’ machines, appends .locked to encrypted files, and gives victims 96 hours to pay the ransom before permanently deleting the decryption key. The ransom note displays two countdown timers – one displaying the amount of time remaining until the decryption key is deleted and one showing the “Next Russian Roulette file deletion” when the malware will randomly delete one file for every six hours the ransom goes unpaid.

UPDATE 9/2/2016: A new version of Stampado discovered by Emsisoft encrypts the files names of encrypted files, changing them to hex characters and appending the extension .locked to the new file name.

UPDATE 9/8/2016: Philadelphia Ransomware, a new version of Stampado, is now for sale on a dark web marketplace for $400 USD. It includes a fully customizable build, allowing attackers to create unique extensions to append to encrypted files, determine which folders will be searched for targeted file types, change the appearance of the file icon, edit the interface text, and add multiple languages. Other features include automatically detecting when a ransom payment has been made, displaying text in the appropriate language based on the victim’s system, User Access Control manipulation, and spreading the infection via connected USB drives and other computers residing on the network. The most unique feature is the inclusion of a “Mercy Button” to allow attackers to decrypt their victims’ files for free. A PHP script called “Bridges” is required for setup and Philadelphia Ransomware provides a client interface that allows attackers to manage multiple infections and encryption keys from their own systems.

UPDATE: 9/15/2016: Stampado now encrypts files that have already been encrypted by other ransomware variants, resulting in multiple layers of encryption. The tool listed below decrypts this version.

  • Heimdal Security provides more information about Stampado here.
  • Emsisoft provides a free decryption tool for Stampado, available here.
  • Emsisoft provides a free decryption tool for Philadelphia Ransomware, available here.

One example of the Stampado variant. Image Source: Heimdal Security