Security Alert: New and Cheap Stampado Ransomware for Sale on the Dark Web

How cyber criminals advertise their malware to increase their reach and revenue

LAST UPDATED ON JULY 13, 2016
QUICK READ
2 min
Let's get started!
ANDRA
ZAHARIA
SECURITY EVANGELIST

The ransomware market is booming and evidence to this is, unfortunately, abundant.

And because cryptoware is such a big segment of the malware economy, malware creators have to constantly release new “products” to keep their clients engaged and the money flowing.

Here’s just how a new ransomware family gets advertised on the forums where cyber criminals come to do their shopping.

Enter the new Stampado ransomware

You may not have heard of it, yet, but the odds are that it will soon be all over the news.

Stampado is a new ransomware family promoted through aggressive advertising campaigns on the Dark web.

Its creators are probably aiming to appeal to as many buyers as possible by pricing it well below their competitors in the ransomware-as-a-service market: just $39 for a lifetime license!

The sales pitch is straightforward and very enthusiastic:

Newest Ransomware in market!
———————————
Stampado Ransomware
———————————
You always wanted a Ransomware but never wanted two pay Hundreds of dollars for it?
– This list is for you! 🙂
——————————————————————————————————-
Stampado is a cheap and easy-to-manage ransomware, developed by me and my team.

It’s meant two be really easy-to-use. You’ll not need a host. All you will need is an email account.

The rest of the ad follows the same approach.

The basic details provided in the advertisement indicate that Stampado has roughly the same functionality as CryptoLocker and other similar ransomware.

Another part of the advertisement emphasizes the flexibility that Sampado offers:

The file can be sent in the following formats: exe, bat, dll, scr, and cmd.

You can also use binders, packers and crypters (although it’s FUD – do NOT send it to VirusTotal or other online AV sites because they distribute it to AV companies – even when they say that they don’t. Prefer scanning yourself).

Once if infects a computer, Stampado will add the extension “.locked” to all kidnapped files.

Here is a printscreen of the cyber criminals’ ad on the Dark web, which underlines the key benefit:

Price is ONLY $ 39 for LIFETIME LICENSE!

stampado ransomware dark web ad

Taking it one step further, the creators behind Stampado have even uploaded a presentation video to Youtube, showing it in action:

A few extra details are mentioned in the video:

  • Stampado doesn’t need administrator privileges to infect computers (most ransomware don’t need system permissions to encrypt the data)
  • It gives the victims 96 hours to pay the ransom
  • And it includes an additional social engineering trick: if the ransom isn’t paid, Stampado will delete a random file from the victim’s PC every 6 hours.

Although we know it’s wishful thinking, we can only hope that this ransomware family won’t spread to affect too many users. Unfortunately, given the details we just mentioned, the opposite might just happen.

The wisest thing that any user and organization can do is understand how ransomware acts and spreads, going beyond data encryption.

And just in case your data was actually encrypted by this ransomware, know that cyber security researchers have cracked the code and released a decryption tool for Stampado. Be sure to read a bit about how the process works, so you can get your data back safely, without irreversibly damaging it.

Once you’ve finally had that “a-ha!” moment, you’ll understand why anti-ransomware protection is important and why data back-ups are a must-have!

* This article features cyber intelligence provided by CSIS Security Group researchers.

RELATED

These Free Ransomware Decryption Tools Are Your Key to Freedom [Updated 2023]

Ransomware Distribution: How One Infection Can Go Network-Wide

Ransomware Explained. What It Is and How It Works

Comments
Dan on December 3, 2016 at 1:55 am

Thank you for the excellent article. This bugs me in particular knowing that when I set up my own VPS for my own personal web and email servers, the spambots were flailing at it before it even had a DNS entry. What would have been considered protection equivalent to Fort Knox a few years ago seems more like Swiss cheese today. I feel as though I have to open only the ports which are absolutely necessary, encrypt most if not all of them somehow, block relaying on email, and then sit there and watch what comes in *anyway* constantly adjusting all the pattern matching so that you can block the spambots without locking yourself out. And then you have to go through the same pain for *everything*–database server, web servers themselves, make sure they’re running as a user rather than as root, cache most of it, block SQL insertion attacks, and if anyone breaks any rules multiple times, firewall them completely for a period of time, and so on. And by the time you have locked everything in the world down, you will have improved your environment to the point where it reaches a level worthy of being called “Swiss Cheese”.

I am beginning to think there must be a way to Dockerize these things and come up with a really secure image for each kind of micro-service and find a way to backup and journal the data so that if–no–when something gets zapped, someone can yank it aside for analysis, fire up a new container with the latest backup, and roll forward a journal to a time just prior to infection and be up and rolling in a flash while people examine the infected environment at their leisure in greater depth.

Reply
Andra Zaharia on December 5, 2016 at 11:17 am

Thank you, Dan, for taking the time to share your experience. Indeed, security is a never ending process, and we actually have an expert roundup coming up this very week on just this subject. I think you’ll find it worth your time. Keep an eye on the blog!

Florence Catherine on August 27, 2016 at 11:19 am

Scary. Glad you’re able to report Dark Web stuff to the surface.

Reply
Christian Rocquebrune on July 24, 2016 at 5:01 pm

I am not sure if I understood correctly. Does the sellers actually sell the piece of code or does it instead infect the buyers ? Although that wouldn’t last very long…

Reply
Andra Zaharia on July 25, 2016 at 5:46 pm

The sellers are looking to sell malicious code to other cyber criminals who want to use it in cyber attacks.

feren CEO on July 17, 2016 at 10:53 am

Reported it to YouTube… Gone! Good on ’em

Reply
Andrew Williams on July 14, 2016 at 3:27 pm

It was disgusting how arrogant the person who made that video was. Security companies should buy the products off the dark web just to create protection against it. Yes, it’s unfortunate to pay them for their product, but $39 once is better than the extortion of money they receive from the product.

Reply
Andra Zaharia on July 14, 2016 at 3:41 pm

I agree, Andrew. This patronizing approach is infuriating, but do know that there are plenty of bright and driven people in the cyber security industry who are doing their best to stop these attacks. As for the people behind it, that’s why law enforcement institutions constantly work together with cyber security organizations to take down cyber criminal networks.

b4tm4nf4n on July 13, 2016 at 4:09 pm

Any indicators to share???

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP